Florian Weimer wrote:
> There is no way to force an end user to enter a
> password only over SRP.

Phishing relies on the login page looking familiar.  If
SRP is in the browser chrome, and looks strikingly
different from any web page, the login page will not
look familiar.

> Fortunately, it doesn't matter because today, we must
> assume that the client is thoroughly compromised,
> which means that entering passwords over SRP isn't
> safe, either.

That is an all purpose argument that is deployed
selectively against some measures and not others.

         James A. Donald

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to