Christian Huitema wrote:
There are a large number of protocol designs--even existing
protocols--which are compatible with the general paradigm of "user U
proves possession of password P to server A without giving A a
credential which can be used to impersonate U to server B".
HTTP Digest, TLS-PSK, SRP, and PwdHash all come to mind. The
difficult parts are:
(1) putting a sensible UI on it--including one that isn't easily
spoofed (see the extensive literature on how hard it is
to build a secure UI.
(2) Getting everyone to agree on one protocol.
Please add:
(3) The chosen solution is immune to dictionary attacks.
Well if we're going here then:
(4) The chosen solution requires that I have to remember zero or fewer
non-dictionary passwords
Mike
_______________________________________________
Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf