Template:User committed identity/doc: Difference between revisions
Content added Content deleted
m (→Weakness) |
m (→Weakness) |
||
| Line 67: | Line 67: | ||
An attacker without access to the account could claim that the current account's owner stole their identity. The attacker could state that they did not publish a hash when they used to own the account, or that they did not register an account and that someone else is using their name. |
An attacker without access to the account could claim that the current account's owner stole their identity. The attacker could state that they did not publish a hash when they used to own the account, or that they did not register an account and that someone else is using their name. |
||
An attacker may want to know the secret passphrase, pretending he wants to verify your ownership. He will use social behavior to convince you that you must reveal it. Then by revealing him the passphrase to him, he can pretend he is now the "legitimate" owner of your account. The passphrase verification (necessarily made by someone else) is inherently unsecure. |
An attacker may want to know the secret passphrase, pretending he wants to verify your ownership. He will use social behavior to convince you that you must reveal it. Then by revealing him the passphrase to him, he can pretend he is now the "legitimate" owner of your account, and act on your behalf without asking you anything. The passphrase verification (necessarily made by someone else) is inherently unsecure. |
||
This weakness does not indicate the [[en:commitment scheme]] is worthless, because the ''commit phase'' did not apply to all interested parties (the real person and all potential attackers). |
This weakness does not indicate the [[en:commitment scheme]] is worthless, because the ''commit phase'' did not apply to all interested parties (the real person and all potential attackers). |
||