Re: HTTP Mutual-auth proposal status / HTTP AUTH meet-up in Anaheim? from Yutaka OIWA on 2010-01-05 (public-web-security@w3.org from January 2010)

From: Yutaka OIWA <y.oiwa@aist.go.jp>
Date: Tue, 05 Jan 2010 17:33:21 +0900
To: Daniel Stenberg <daniel@haxx.se>
Cc: public-web-security@w3.org
Message-ID: <87d41p7xym.fsf@bluewind.rcis.aist.go.jp>

Dear Daniel,

Daniel Stenberg <daniel@haxx.se> writes:

> means which is beyond the scope of this protocol but still I think the
> way that is written is slightly misleading.

You're correct, and as you might guess the phrase is for
phishing-like attacks.  We still need TLS against eavesdropping.

# In our scheme passwords itself are safe even with eavesdropping,
# but we don't claim that it's enough for security.

I will seek for better and clearer phrase in the next draft.

Thank you very much,

-- 
Yutaka OIWA, Ph.D.                                       Research Scientist
                            Research Center for Information Security (RCIS)
    National Institute of Advanced Industrial Science and Technology (AIST)
                      Mail addresses: <y.oiwa@aist.go.jp>, <yutaka@oiwa.jp>
OpenPGP: id[440546B5] fp[7C9F 723A 7559 3246 229D  3139 8677 9BD2 4405 46B5]

Received on Tuesday, 5 January 2010 08:33:57 UTC