[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [imi] Question regarding encryption
John Bradley wrote on 2009-12-07: > Yes, I think in practice a non-auditing card may not meet LoA 3. It would > at least be a discussion. I don't know whether it does or not. My point is that no sane user would use one for anything important if they understood the risk. You're handing your identity over to a RP who's then free to impersonate you to other sites accepting non-auditing tokens for the life of the bearer window. It's not about getting your token stolen by some obscure network attack, this is just blatantly unsafe, no different than handing over a reusable "OTP". -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]