[114874] in cryptography@c2.net mail archive
Re: Dutch Transport Card Broken
daemon@ATHENA.MIT.EDU (James A. Donald)
Sun Feb 10 11:24:00 2008
Date: Sun, 10 Feb 2008 19:23:59 +1000
From: "James A. Donald" <jamesd@echeque.com>
To: "Steven M. Bellovin" <smb@cs.columbia.edu>
CC: Peter Gutmann <pgut001@cs.auckland.ac.nz>, cryptography@metzdowd.com,
perry@piermont.com
In-Reply-To: <20080207054200.68c64502@yellowstone.machshav.com>
Steven M. Bellovin wrote:
> There's another issue: initial account setup. [Even
> with SRP] people will still need to rely on
> certificate-checking for that. It's a real problem at
> some hotspots, where Evil Twin attacks are easy and
> lots of casual users are signing up for the first
> time.
For banks and health care, initial account setup always
involves out of band communication, so certificate
checking not needed.
We need to build our security mechanisms to fit
characteristic human out of band security, rather than
trying to force humans to imitate computers.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
