Frank Siebenlist <[EMAIL PROTECTED]> writes:

>That's actually a sad observation.
>I keep telling my colleagues that this technology is coming "any day now" to
>a browser near you - didn't realize that that there was no interest with the
>browser companies to add support for this...

I know of a number of organisations (mostly governmental, but also some
financial) in various countries who are really, really keen to get support for
(as James Donald pointed out) cryptographically secured relationships (not
requiring PKI would be a big feature) into browsers, but no-one knows who to
beat over the head about it.  The last group I talked to (banks) were hoping
to use commercial pressure to get MS to add support for it in IE7^H^H8 at
which point Firefox would be forced to follow, but it's a slow process.

>Why do the browser companies not care?
>What is the adoption issue?
>Still the dark cloud of patents looming over it?
>Not enough understanding about the benefits? (marketing)
>Economic reasons that we wouldn't buy anymore server certs?

I think it's a combination of two factors:

1. Everyone knows that passwords are insecure, so it's not worth trying to do
   anything with them.

   (My counter-argument to this is that passwords are only insecure because
   protocol designers have chosen to make them insecure, see my previous post
   about the quaint 1970s-vintage hand-over-the-password model used by SSH and

2. If you add failsafe authentication to browsers, CAs become redundant.

   (My counter-argument to this is to ask whether browser security exists in
   order to provide a business model for CAs or to protect users.  Currently
   it seems to be the former, with EV certs being a prime example).

There are probably other contributory reasons as well.


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to