[cryptography] ssh-keys only and EKE for web too (Re: preventing protocol failings)

Jeffrey Walton noloader at gmail.com
Wed Jul 13 14:33:35 EDT 2011


On Wed, Jul 13, 2011 at 2:17 PM, James A. Donald <jamesd at echeque.com> wrote:
> On 2011-07-13 9:10 PM, Peter Gutmann wrote:
>>
>> As for Microsoft, Opera, etc who knows?  (If you work on, or have worked
>> on,
>> any of these browsers, I'd like to hear more about why it hasn't been
>> considered).  I think it'll be a combination of two factors:
>>
>> 1. Everyone knows that passwords are insecure so it's not worth trying to
>> do
>>    anything with them.
>>
>> 2. If you add failsafe mutual authentication via EKE to browsers, CAs
>> become
>>    entirely redundant.
>
> Indeed, if EKE is implemented in the most straightforward way, any page or
> data that can only be accessed while logged in, is securely encrypted even
> if accessed over http.
>
> Free browsers are supported by CAs.  EKE enabled browsers would only be
> supported by people needing secure logins, which form a less concentrated
> interest, therefore an interest less capable of providing public goods.
I believe Mozilla is [in]directly supported by Google. Mozilla has
made so much money, they nearly lost their tax exempt status:
http://tech.slashdot.org/story/08/11/20/1327240/IRS-Looking-at-GoogleMozilla-Relationship.

I was also talking with a fellow who told me NSS is owned by Red Hat.
While NSS is open source, the validated module is proprietary. I don't
use NSS (and have no need to interop with the library), so I never
looked into the relationship.

Jeff



More information about the cryptography mailing list