> There are a large number of protocol designs--even existing > protocols--which are compatible with the general paradigm of "user U > proves possession of password P to server A without giving A a > credential which can be used to impersonate U to server B". > HTTP Digest, TLS-PSK, SRP, and PwdHash all come to mind. The > difficult parts are: > > (1) putting a sensible UI on it--including one that isn't easily > spoofed (see the extensive literature on how hard it is > to build a secure UI. > (2) Getting everyone to agree on one protocol. Please add: (3) The chosen solution is immune to dictionary attacks. -- Christian Huitema _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf