For example, supposing I want to dial out for pizza from the
ExtraMushrooms Pizza Company. If all I know about ExtraMushrooms is
their name, then there's absolutely nothing I can do to contact them
that can't be spoofed by EvilMallet's credit card grabber, unless
there's some trusted third party I can grab authentication information
from. That might be a trusted nameserver that I know the Kerberos ID
for, or a URL from a trusted friend embedded in an authenticated
document.
Authenticating something is often easier than working out what you're
trying to authenticate.
__ _____
\/ o\ Paul Crowley pdc@dcs.ed.ac.uk \\ //
/\__/ Trust me. I know what I'm doing. \X/
Disclaimer: I've only just caught the tail end of this discussion, so I
don't know what it's really about. I'm not a cryptologist, but I play
one in my so-called spare time. I don't know HTTP all that well.