[cryptography] phishing/password end-game (Re: Why anon-DH ...)

James A. Donald jamesd at echeque.com
Wed Jan 16 20:38:17 EST 2013


On 2013-01-17 9:02 AM, Adam Back wrote:
> There was a subthread in this huge PKI-is-failing and doesnt solve 
> phishing
> thread looking at what might solve phishing (modulo engineering and
> deployment issues).
>
> To summarize Ian & Ben mentioned and I add a few:
>
> - client side certificates
> - password managers
> - browser auth
> - TPM to make credentials harder to steal
> - SRP, EKE
> - channel bound auth
> - two factor OTP
> - single sign on vendors
>
> So clearly the end game is not passwords.

The end game is passwords with srp.  Even if you are using client side 
certificates, you have to be able to get your PC client side 
certificates onto your smartphone, which requires that you sign on to 
your PC using a password.




More information about the cryptography mailing list