James A. Donald wrote:

For password-authenticated key agreement such as TLS-SRP
or TLS-PSK to work, login has to be in the chrome.

Regrettably, login in the (non-customizable) chrome is unusable; this is why *everyone* now uses cookies instead of HTTP authentication. Just asking the user for a username instead of an email address can trip them up.

SSL has a worse problem AFAIK, which is that the server either always asks for a client cert (before the login page) or never asks, but I think we want to show a login page over SSL, *then* ask the user for their cert or password.

Despite its complexity, I'm thinking that something like infocards -- where some HTML tag or JS API can trigger the browser to perform secure authentication with an unspoofable UI -- is the way to go.

Wes Felter

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Reply via email to