[liberationtech] Announcing a privacy preserving authentication protocol

[Kyle Maxwell]

I appreciate the intention, but I see a lot of problems here. Without
doing an exhaustive analysis:

A. This doesn't eliminate phishing because users will still enter
their credentials at a site that doesn't actually match the one where
the cert was previously signed. Otherwise, existing HTTPS controls
would already protect them.

B. What zone would contain user keys for DNSSEC?

C. Your message transport protocol seems a little unclear - could you
walk through it?

There are more issues here, but at a minimum I feel like it doesn't
adequately address a broad enough threat model.

On Tue, Mar 12, 2013 at 4:08 PM, Guido Witmond <guido at witmond.nl> wrote:
> Ladies and Gentlemen,
>
>
> I've long disliked the direction the internet headed with regards to
> privacy. Or it's total disregard of it.
>
> I've come up with a novel architecture of existing old and recent
> cryptographic tools that offers a substantial improvement in security and
> privacy. I call it Eccentric Authentication.
>
> Unlike the current CA-system that requires people to trust them to gain
> security, my protocol turns that upside down. Security is what the protocol
> provides. Trust is what people gain by using the system.
>
> The protocol is mostly compatible with the current internet as we know it.
> And it prevents most phishing attacks for free.
>
> I have the hope that this protocol can shift the balance of security and
> privacy a bit back towards the people.
>
> I've written a technical description at [1]. I hope it makes things a bit
> clear. Feel free to comment.
>
> With regards. Guido Witmond.
>
> 1: http://witmond.nl/ecca/eccentric-authentication.html
> --
> Too many emails? Unsubscribe, change to digest, or change password by
> emailing moderator at companys at stanford.edu or changing your settings at
> https://mailman.stanford.edu/mailman/listinfo/liberationtech