On 2011-09-20 8:46 AM, Nico Williams wrote:
Of course. We need trusted UI paths. That's a hard problem. We know
users dislike SAS (secure attention sequences). We know people want
full-screen apps. These constraints make it almost impossible, if not
impossible to get any sort of trusted UI path,
The user expects a login screen. Login screens are *not* traditionally
full screen, even on cell phones. Therefore, if we take login out of
the web page, if the user ceases to expect or perceive login as
happening out there on the web, but instead perceives it as happening
locally, the user will not expect a full screen login page.
That is how gamer apps usually do it.
If the login page has a distinctive look, not easily faked (non
rectangular, overlapping the background, customized to user), it will be
a trustworthy UI path.
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography
