On 2011-07-13 9:10 PM, Peter Gutmann wrote:
As for Microsoft, Opera, etc who knows? (If you work on, or have worked on, any of these browsers, I'd like to hear more about why it hasn't been considered). I think it'll be a combination of two factors:1. Everyone knows that passwords are insecure so it's not worth trying to do anything with them. 2. If you add failsafe mutual authentication via EKE to browsers, CAs become entirely redundant.
Indeed, if EKE is implemented in the most straightforward way, any page or data that can only be accessed while logged in, is securely encrypted even if accessed over http.
Free browsers are supported by CAs. EKE enabled browsers would only be supported by people needing secure logins, which form a less concentrated interest, therefore an interest less capable of providing public goods.
_______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
