On Mon, Sep 19, 2011 at 3:48 PM, James A. Donald <[email protected]> wrote: > On 2011-09-20 5:16 AM, Nico Williams wrote: >> [...] > > Suppose that zero knowledge logon is widely implemented: > > [points out that UI issues remain]
Of course. We need trusted UI paths. That's a hard problem. We know users dislike SAS (secure attention sequences). We know people want full-screen apps. These constraints make it almost impossible, if not impossible to get any sort of trusted UI path, and without that we might as well go home. A perfect PKI wouldn't help us either without a trusted UI path. And we know that the lock icon in browser status bars hasn't worked very well either. The UI issue is critical. Is it fundamentally impossible to construct a workable, trusted UI path? I am not ready to conclude so. For a desktop I'd say: reserve some screen real estate for a trusted UI where all password-like prompts from the system and "trusted" apps are to appear. Use a color scheme (or pattern, for the color blind) to label windows, etc.., disallow nesting of windows with different labels, train users never to enter sensitive info in windows dressed in some color (say, red). And so on. These are not new ideas: they come from the "trusted desktop" world. For smartphones and tablets I'd say: reserve one or more buttons (touch is OK) for the system, such as the home key in Android, and use that as an SAS to get at labeling information, and preferably, also, reserve an LED or a couple of lines of screen real estate for labeling as well. Are there potential pitfalls in these approaches? Yes. For example: a home key SAS for touch screen systems had better have predictable, real-time response rates, or else it will be spoofable. The question is: is any of the above fundamentally flawed? Are there any other alternative UI designs that are not fundamentally flawed? Nico -- _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
