[144730] in cryptography@c2.net mail archive
Re: Client Certificate UI for Chrome?
daemon@ATHENA.MIT.EDU (Wes Felter)
Thu Aug 13 08:09:13 2009
To: cryptography@metzdowd.com
From: Wes Felter <wesley@felter.org>
Date: Wed, 12 Aug 2009 18:26:02 -0500
X-Complaints-To: usenet@ger.gmane.org
In-Reply-To: <4A7B869F.10801@echeque.com>
James A. Donald wrote:
> For password-authenticated key agreement such as TLS-SRP
> or TLS-PSK to work, login has to be in the chrome.
Regrettably, login in the (non-customizable) chrome is unusable; this is
why *everyone* now uses cookies instead of HTTP authentication. Just
asking the user for a username instead of an email address can trip them up.
SSL has a worse problem AFAIK, which is that the server either always
asks for a client cert (before the login page) or never asks, but I
think we want to show a login page over SSL, *then* ask the user for
their cert or password.
Despite its complexity, I'm thinking that something like infocards --
where some HTML tag or JS API can trigger the browser to perform secure
authentication with an unspoofable UI -- is the way to go.
Wes Felter
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
