2011/6/15 Nico Williams <[email protected]>: >> * a method that hands over a password (or a password-equivalent) >> * a method whose UI can be imitated by malicious sites.
> The protocol and UI are not that closely related. I can't think of > any method that satisfies the first requirement that couldn't have a > secure UI. How about a simple form-field extension which encrypts some password with timed challenges? OK, but your point suggests the following rephrasing: * a UI which can be imitated by malicious sites. Although they are not closely related, but we cannot completely ignore the UI issues . I think that protocol designs should, in some extent, consider how such UI is to be provided (especially when and how they are kicked in). How about it? _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
