[cryptography] phishing/password end-game (Re: Why anon-DH ...)

Jeffrey Walton noloader at gmail.com
Wed Jan 16 21:52:10 EST 2013


On Wed, Jan 16, 2013 at 9:21 PM,  <dan at geer.org> wrote:
>
>  > To clarify:  I think everyone and everything should be identified by
>  > their public key,...
>
> Would re-analyzing all this in a key-centric model rather than
> a name-centric model offer any insight?  (key-centric meaning
> that the key is the identity and "Dan" is an attribute of that
> key; name-centric meaning that Dan is the identity and the key
> is an attribute of that name)
I tend to look at it from data-centric point of view since the data is
all that matters:

  * Data at rest
  * Data in transit
  * Data on display

Note: data at rest can occur at both server (online) and device (offline).

Both a passwords and a document count as data. Bad bad-guys want the
password; and good bad-guys want the document. Bad bad-guys will try
to compromise different, more valuable accounts; good bad-guys will
want to analyze the document for ads and services.

It makes sense (to me) since the data is all that matters. Criminal
Organizations and Industry (is there a difference in the big picture?)
validates the presumption since they try so hard to get at it.

Your use cases drop out of the pre-exisiting relationships (or lack
thereof) and data states, and drives Local Passwords vs SRP vs Public
Key Identity based systems.

Jeff



More information about the cryptography mailing list