[cryptography] Request - PKI/CA History Lesson
James A. Donald
jamesd at echeque.com
Thu May 1 03:19:36 EDT 2014
On 2014-04-30 02:14, Jeffrey Goldberg wrote:
> On 2014-04-28, at 5:00 PM, James A. Donald <jamesd at echeque.com> wrote:
>> Cannot outsource trust Ann usually knows more about Bob than a distant authority does.
> So should Ann verify the fingerprints of Amazon, and Paypal herself?
Ann should be logging on by zero knowledge password protocol, so that
the entity that she logs on to proves it already knows the hash of her
ZKPP has to be in the browser chrome, not on the browser web page.
How do you see that working assuming that Ann is an �ordinary user�?
To the ordinary user, should not behave any different, and should only
look different in that the ZKPP login screen looks different from any
possible web page in a way that is quite difficult to fake for any
software that does not already have total control of the users machine.
Details of how to achieve unfakeable logon screen appearance depend on
OS version. To make the ZKPP logon screen in Windows 7 different from
any possible web page, have the browser web page vanish when the
browser's genuine ZKPP logon screen is up. Analogous but different
gimmicks are feasible in other operating systems and system versions.
More information about the cryptography