[19452] in cryptography@c2.net mail archive
Re: ADMIN: end of latest SSL discussion
daemon@ATHENA.MIT.EDU (James A. Donald)
Wed Dec 28 12:01:16 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
From: "James A. Donald" <jamesd@echeque.com>
To: cryptography@metzdowd.com,
"Perry E. Metzger" <perry@piermont.com>
Date: Tue, 27 Dec 2005 23:18:08 -0800
In-reply-to: <87y8263wmu.fsf@snark.piermont.com>
--
In the SSL thread various solutions were proposed, or
rather existing solutions pointed to:
1. SSH just works. So generalizing from the success
of SSH, the browser should remember who you have
relationships with, and the keys of the people you have
relationships with. To avoid the name overload
problem, those relationships should be named by Zooko's
triangle, as the petname tool does, and should be a
special kind of favorite, as the petname tool makes
them. This requires that establishing a relationship,
and verifying a shared secret, should be part of the
browser chrome, as it is with SSH, rather than a
particular application of generic web forms, as it is
with existing practice. So when you hit a phisher,
significantly different chrome comes up.
2. Phishers are after shared secrets, so secure each
shared secret, and thus each relationship, with
SRP-TLS-OpenSSL This also requires that establishing a
relationship, and verifying a shared secret, should be
part of the browser chrome, rather than a particular
application of generic web forms.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
8epIQqxZ+sfUW+5ao0hWd4g/hAhRlqifZr6xWoQn
47kvMBcL6UqQ54XSgEcxbJd8xqAh2LSxufi/3IBdG
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
