On 15/09/2010 00:26, Nicolas Williams wrote:
> On Tue, Sep 14, 2010 at 03:16:18PM -0500, Marsh Ray wrote:
>> How do you deliver Javascript to the browser securely in the first
>> place? HTTP?
> I'll note that Ben's proposal is in the same category as mine (which
> was, to remind you, implement SCRAM in JavaScript and use that, with
> channel binding using tls-server-end-point CB type).
> It's in the same category because it has the same flaw, which I'd
> pointed out earlier: if the JS is delivered by "normal" means (i.e., by
> the server), then the script can't be used to authenticate the server.

That's one of the reasons I said it was only good for experimenation.

http://www.apache-ssl.org/ben.html           http://www.links.org/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Reply via email to