>> And I think looking at protocols without an understanding of how they >> are used and how they interact with the UI is just as wrong as >> attempting to fix the problem simply within the UI. You wrote that some >> mechanisms could be made to work. You might be right, but I'm not >> convinced. Someone actually has to write out how these mechanisms, such >> as challenge/response ARE made to work with a web browser and a >> transactional protocol, such that they also actually solve Eliot's Dad's >> probem (EDP ;-) of the user not shooting themselves in the foot by >> transmitting the same credential to multiple disparate relying parties >> (or authenticating services, if you will). >> > > None of the systems I mentioned (TLS-PSK, SRP, PwdHash) has this > problem--provided that the user actually uses the new authentication > method and doesn't type his password into some Web form. But of > course that's a UI problem, not a protocol problem. > and IMHO, any solution that doesn't let the user type his password into some Web form is a non-starter, both for reasons of backward compatibility and because sites (quite legitimately) want to provide a visually attractive interface to users which is consistent across all platforms (for support reasons). _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf