On 2011-07-13 9:10 PM, Peter Gutmann wrote:
As for Microsoft, Opera, etc who knows? (If you work on, or have worked on,
any of these browsers, I'd like to hear more about why it hasn't been
considered). I think it'll be a combination of two factors:
1. Everyone knows that passwords are insecure so it's not worth trying to do
anything with them.
2. If you add failsafe mutual authentication via EKE to browsers, CAs become
entirely redundant.
Indeed, if EKE is implemented in the most straightforward way, any page
or data that can only be accessed while logged in, is securely encrypted
even if accessed over http.
Free browsers are supported by CAs. EKE enabled browsers would only be
supported by people needing secure logins, which form a less
concentrated interest, therefore an interest less capable of providing
public goods.
_______________________________________________
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography