[cryptography] Request - PKI/CA History Lesson

David Mercer radix42 at gmail.com
Thu May 1 16:08:42 EDT 2014


On Thu, May 1, 2014 at 1:25 AM, Ben Laurie <ben at links.org> wrote:

> On 1 May 2014 08:19, James A. Donald <jamesd at echeque.com> wrote:
> > On 2014-04-30 02:14, Jeffrey Goldberg wrote:
> >>
> >> On 2014-04-28, at 5:00 PM, James A. Donald <jamesd at echeque.com> wrote:
> >>
> >>> Cannot outsource trust  Ann usually knows more about Bob than a distant
> >>> authority does.
> >>
> >>
> >> So should Ann verify the fingerprints of Amazon, and Paypal herself?
> >
> >
> > Ann should be logging on by zero knowledge password protocol, so that the
> > entity that she logs on to proves it already knows the hash of her
> password.
>
> EXACTLY!!!
>
> > ZKPP has to be in the browser chrome, not on the browser web page.
>
> This seems obvious, but experiments show users do not understand it.
> We have yet to find a satisfactory answer to a trusted path for
> ordinary users.
>
> >  How do you see that working assuming that Ann is an �ordinary user�?
> >
> > To the ordinary user, should not behave any different, and should only
> look
> > different in that the ZKPP login screen looks different from any possible
> > web page in a way that is quite difficult to fake for any software that
> does
> > not already have total control of the users machine.
> >
> > Details of how to achieve unfakeable logon screen appearance depend on OS
> > version.  To make the ZKPP logon screen in Windows 7 different from any
> > possible web page, have the browser web page vanish when the browser's
> > genuine ZKPP logon screen is up.  Analogous but different gimmicks are
> > feasible in other operating systems and system versions.
>
> Once more: technically unfakeable turns out to be a long way from
> usably unfakeable.



 And remember that on tablet and mobile devices the foreground program,
without the user ever clicking "maximize/full screen" like on a
desktop/laptop OS,  has control of every pixel on the screen and do
whatever it damned well pleases.

-David Mercer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20140501/c4537b62/attachment-0001.html>


More information about the cryptography mailing list