[OpenID] [oauth] Re: [diso-project] Re: OpenID Accessibility
Ben Laurie
benl at google.com
Mon Nov 3 09:38:58 UTC 2008
On Mon, Nov 3, 2008 at 8:56 AM, Eddy Nigg (StartCom Ltd.)
<eddy_nigg at startcom.org> wrote:
> On 11/03/2008 10:24 AM, Ben Laurie:
>
> You mean something like client certificate authentication?
>
>
> Not really - you still have to issue the client cert somehow. In
> practice, this pretty much always involves the user proving knowledge
> of some secret. It is that secret that I would like to protect in
> transit.
>
>
> Well, not sure which "secret" you mean here. The only secret with client
> certs is the private key which is generated in the browser or smart card and
> stored within the relevant security module. However your idea of the browser
> providing "phishing resistant password scheme" is what I meant to question
> really, since there are no phishing resistant user name / pass word pairs -
> it simply doesn't exist.
Really? Why not? What about SRP or J-PAKE?
> Client certificate authentication can't be phished.
I know. My point was that in order to acquire a client certificate,
you have to somehow prove who you are - usually by showing you know
some secret.
>
> Regards
>
> Signer: Eddy Nigg, StartCom Ltd.
> Jabber: startcom at startcom.org
> Blog: Join the Revolution!
> Phone: +1.213.341.0390
>
>
More information about the general
mailing list