On Tue, Sep 20, 2011 at 12:42 AM, James A. Donald <[email protected]>wrote:
> On 2011-09-20 8:46 AM, Nico Williams wrote: > >> Of course. We need trusted UI paths. That's a hard problem. We know >> users dislike SAS (secure attention sequences). We know people want >> full-screen apps. These constraints make it almost impossible, if not >> impossible to get any sort of trusted UI path, >> > > The user expects a login screen. Login screens are *not* traditionally > full screen, even on cell phones. Therefore, if we take login out of the > web page, if the user ceases to expect or perceive login as happening out > there on the web, but instead perceives it as happening locally, the user > will not expect a full screen login page. > That is not the issue. The issue is that if an app can be full screen it can fake whatever a login window looks like. > > That is how gamer apps usually do it. > > If the login page has a distinctive look, not easily faked (non > rectangular, overlapping the background, customized to user), it will be a > trustworthy UI path. > > > ______________________________**_________________ > cryptography mailing list > [email protected] > http://lists.randombit.net/**mailman/listinfo/cryptography<http://lists.randombit.net/mailman/listinfo/cryptography> >
_______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
