what i am saying is that you cannot GUARANTEE this is the case. if i
remember correctly, just a few months ago verisign issued a cert for one
of microsoft's sites to an unauthorized entity -- things like that kinda
hinder utter faith in the authentication layer alone, don't you think?
add that to the unavoidable latitude for specific vendors and users
during implementation of whatever spec comes out of this group and you
have the *possibility* of compromise.
if you can make the case that it is impossible for this to happen
(which, from an academic perspective, is not possible because one cannot
prove 'non existence'), then the the balance between effort of
implementation of discrete responses vs. the likelihood of compromise is
an easy one. otherwise, i suggest that we at least perform due diligence
in determining what the ramifications of discrete response codes are.
i have no interest in one direction or the other, i just want to make
sure that the issue is raised.
Hal Lockhart wrote:
Excuse me. Are you saying that no means exists whereby a PEP and PDP could
mutually authenticate and exchange integrity and confidentiality protected
data over an insecure network?