[cryptography] ssh-keys only and EKE for web too (Re: preventing protocol failings)

James A. Donald jamesd at echeque.com
Wed Jul 13 14:17:49 EDT 2011

On 2011-07-13 9:10 PM, Peter Gutmann wrote:
> As for Microsoft, Opera, etc who knows?  (If you work on, or have worked on,
> any of these browsers, I'd like to hear more about why it hasn't been
> considered).  I think it'll be a combination of two factors:
> 1. Everyone knows that passwords are insecure so it's not worth trying to do
>     anything with them.
> 2. If you add failsafe mutual authentication via EKE to browsers, CAs become
>     entirely redundant.

Indeed, if EKE is implemented in the most straightforward way, any page 
or data that can only be accessed while logged in, is securely encrypted 
even if accessed over http.

Free browsers are supported by CAs.  EKE enabled browsers would only be 
supported by people needing secure logins, which form a less 
concentrated interest, therefore an interest less capable of providing 
public goods.

More information about the cryptography mailing list