At Wed, 12 Sep 2007 16:32:34 +0200, Eliot Lear wrote: > > Eric Rescorla wrote: > > None of the systems I mentioned (TLS-PSK, SRP, PwdHash) has this > > problem--provided that the user actually uses the new authentication > > method and doesn't type his password into some Web form. But of > > course that's a UI problem, not a protocol problem. > > > As I wrote, the problem is in both places. For one thing, TLS-PSK, SRP, > and PwdHash all have the problem that they require some sort of secure > interface on what is generally an insecure platform. Yes, but this is not a protocol problem, it's a UI problem--an unsolved one, I might add, but not an issue for the IETF. > What is needed is > a way to modularize and isolate those authentication transactions. Sam > claims it can be done in software - fine. What is the communication > path to and from? What's the architecture? Each of these approaches has a fairly obvious architecture. In fact, Digest, which I forgot to mention in my previous message, already has a pre-existing architecture, and PwdHash works with the existing architecture. -Ekr _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf