+1 - Stating Björn's position slightly differently: we need to acknowledge explicitly, as a design point, that many passwords are used by "password-aware proxies", not by the end-user.
R Robin Wilton Technical Outreach Director - Identity and Privacy Internet Society email: [email protected] Phone: +44 705 005 2931 Twitter: @futureidentity On 12 Nov 2013, at 17:26, Bjoern Hoehrmann wrote: > * Phillip Hallam-Baker wrote: >> The biggest weakness in Internet protocols is relying on passwords for >> authentication. What can we do to make the password mechanisms more secure >> and to wean the Internet off passwords? > > When I started learning about web development in the late 1990s it came > a bit as shock to me that other people can know my passwords. They are > supposed to be secret! Later I learned it isn't even necessary for any- > one other than me to know my passwords, except for convenience maybe. I > also learned implementations of mechanisms like HTTP Authentication are > so bad users cannot know whether they are logged in and cannot log out! > These days it is normal and expected that devices and operating systems > steal your passwords and passwords that have been entrusted to you. Not > to mention this web forms + cookie madness. > > As far as web browsers are concerned, whether you are identifying to a > web site, using which identity, including login and logout, is clearly > a browser user interface concern, not a web site concern. My passwords > are only needed on my devices so they can prove that I have them. These > days I can easily synchronise them myself by holding my smartphone in > front of a webcam if copying files over a wireless network is too hard. > I can also easily back them up by printing a protected version of them. > Beautifully, I can also use other people's devices to use services that > I identify to without risking that my passwords are compromised. As far > as theory is concerned anyway. That is what I would be interested in. > -- > Björn Höhrmann · mailto:[email protected] · http://bjoern.hoehrmann.de > Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de > 25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/ > _______________________________________________ > perpass mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/perpass
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
