Eric Rescorla wrote:
None of the systems I mentioned (TLS-PSK, SRP, PwdHash) has this
problem--provided that the user actually uses the new authentication
method and doesn't type his password into some Web form. But of
course that's a UI problem, not a protocol problem.
As I wrote, the problem is in both places. For one thing, TLS-PSK, SRP,
and PwdHash all have the problem that they require some sort of secure
interface on what is generally an insecure platform. What is needed is
a way to modularize and isolate those authentication transactions. Sam
claims it can be done in software - fine. What is the communication
path to and from? What's the architecture?
_______________________________________________
Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf