At Wed, 12 Sep 2007 16:20:09 +0200, Eliot Lear wrote: > > Eric, > > As I noted in my review, we already have a number of protocols which > > potentially provide this functionality, including mutual authentication. > > > > And I think looking at protocols without an understanding of how they > are used and how they interact with the UI is just as wrong as > attempting to fix the problem simply within the UI. You wrote that some > mechanisms could be made to work. You might be right, but I'm not > convinced. Someone actually has to write out how these mechanisms, such > as challenge/response ARE made to work with a web browser and a > transactional protocol, such that they also actually solve Eliot's Dad's > probem (EDP ;-) of the user not shooting themselves in the foot by > transmitting the same credential to multiple disparate relying parties > (or authenticating services, if you will). None of the systems I mentioned (TLS-PSK, SRP, PwdHash) has this problem--provided that the user actually uses the new authentication method and doesn't type his password into some Web form. But of course that's a UI problem, not a protocol problem. -Ekr _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf