[cryptography] Request - PKI/CA History Lesson

James A. Donald jamesd at echeque.com
Thu May 1 03:19:36 EDT 2014


On 2014-04-30 02:14, Jeffrey Goldberg wrote:
> On 2014-04-28, at 5:00 PM, James A. Donald <jamesd at echeque.com> wrote:
>
>> Cannot outsource trust  Ann usually knows more about Bob than a distant authority does.
>
> So should Ann verify the fingerprints of Amazon, and Paypal herself?

Ann should be logging on by zero knowledge password protocol, so that 
the entity that she logs on to proves it already knows the hash of her 
password.

ZKPP has to be in the browser chrome, not on the browser web page.

  How do you see that working assuming that Ann is an �ordinary user�?

To the ordinary user, should not behave any different, and should only 
look different in that the ZKPP login screen looks different from any 
possible web page in a way that is quite difficult to fake for any 
software that does not already have total control of the users machine.

Details of how to achieve unfakeable logon screen appearance depend on 
OS version.  To make the ZKPP logon screen in Windows 7 different from 
any possible web page, have the browser web page vanish when the 
browser's genuine ZKPP logon screen is up.  Analogous but different 
gimmicks are feasible in other operating systems and system versions.



More information about the cryptography mailing list