[cryptography] Request - PKI/CA History Lesson

Ben Laurie ben at links.org
Thu May 1 04:25:17 EDT 2014


On 1 May 2014 08:19, James A. Donald <jamesd at echeque.com> wrote:
> On 2014-04-30 02:14, Jeffrey Goldberg wrote:
>>
>> On 2014-04-28, at 5:00 PM, James A. Donald <jamesd at echeque.com> wrote:
>>
>>> Cannot outsource trust  Ann usually knows more about Bob than a distant
>>> authority does.
>>
>>
>> So should Ann verify the fingerprints of Amazon, and Paypal herself?
>
>
> Ann should be logging on by zero knowledge password protocol, so that the
> entity that she logs on to proves it already knows the hash of her password.

EXACTLY!!!

> ZKPP has to be in the browser chrome, not on the browser web page.

This seems obvious, but experiments show users do not understand it.
We have yet to find a satisfactory answer to a trusted path for
ordinary users.

>  How do you see that working assuming that Ann is an �ordinary user�?
>
> To the ordinary user, should not behave any different, and should only look
> different in that the ZKPP login screen looks different from any possible
> web page in a way that is quite difficult to fake for any software that does
> not already have total control of the users machine.
>
> Details of how to achieve unfakeable logon screen appearance depend on OS
> version.  To make the ZKPP logon screen in Windows 7 different from any
> possible web page, have the browser web page vanish when the browser's
> genuine ZKPP logon screen is up.  Analogous but different gimmicks are
> feasible in other operating systems and system versions.

Once more: technically unfakeable turns out to be a long way from
usably unfakeable.


More information about the cryptography mailing list