On Thu, Sep 22, 2011 at 4:46 PM, Peter Gutmann <[email protected]> wrote: > Ben Laurie <[email protected]> writes: > >>Well, don't tease. How? > > The link I've posted before (but didn't want to keep spamming to the list): > > http://www.cs.auckland.ac.nz/~pgut001/pubs/pki_risk.pdf
That was a fun read and I mostly agree, but it raises some questions... a) Key continuity is nice, but ... are you swapping one set of problems for another? What happens when I lose my key? How do I roll my key? I just added a second server with a different key, and now a bunch of users have the "wrong" key - what do I do? How do I deal with a compromised key? b) Entering passwords on a new site: again, nice, but how will you detect sites that merely mimic password entry? Wide acceptance would lead to avoidance techniques that seem hard to detect. _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
