Eric,
Each of these approaches has a fairly obvious architecture. In fact, Digest, which I forgot to mention in my previous message, already has a pre-existing architecture, and PwdHash works with the existing architecture.
You have to put the two together. ALL of the approaches that you mention fail given an insecure UI. NONE of them are likely to be applicable given a secure UI. What will be necessary is a secured channel from the authentication module of the user to the authenticating party. What is that? It's almost assuredly not going to include IP addresses. How will PSK-TLS work in such circumstances? What is the communication between the module and the browser? And add on top of ALL of that the UI and don't forget registration.
Eliot _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf