[OpenID] [oauth] Re: [diso-project] Re: OpenID Accessibility
Eddy Nigg (StartCom Ltd.)
eddy_nigg at startcom.org
Mon Nov 3 08:56:47 UTC 2008
On 11/03/2008 10:24 AM, Ben Laurie:
>> You mean something like client certificate authentication?
>>
>
> Not really - you still have to issue the client cert somehow. In
> practice, this pretty much always involves the user proving knowledge
> of some secret. It is that secret that I would like to protect in
> transit.
>
Well, not sure which "secret" you mean here. The only secret with client
certs is the private key which is generated in the browser or smart card
and stored within the relevant security module. However your idea of the
browser providing "phishing resistant password scheme" is what I meant
to question really, since there are no phishing resistant user name /
pass word pairs - it simply doesn't exist.
Client certificate authentication can't be phished.
Regards
Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org>
Jabber: startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: Join the Revolution! <http://blog.startcom.org>
Phone: +1.213.341.0390
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20081103/28626c75/attachment-0002.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6724 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20081103/28626c75/attachment-0002.bin>
More information about the general
mailing list