<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
<title></title>
</head>
<body text="#000000" bgcolor="#ffffff">
On 11/04/2008 09:07 PM, Ben Laurie:<br>
<blockquote
cite="mid:1b587cab0811041107n66c96790l1316741df68da04b@mail.gmail.com"
type="cite">
<pre wrap="">
However, where we came in was I said "But wouldn't it be nice if
browsers just automatically supported a phishing resistant password
scheme?" and you said "like a client cert?". Picking up from that
point: a client cert is not like a password, because I cannot memorise
my cert.
</pre>
</blockquote>
LOL, that was my point actually - to disqualify anything resembling a
user / password pair, because as you say below:<br>
<blockquote
cite="mid:1b587cab0811041107n66c96790l1316741df68da04b@mail.gmail.com"
type="cite">
<pre wrap=""><!---->
I agree that client certificates are obviously phishing resistant, and
have never disagreed, and I am happy to treat the rest of the
conversation as a red herring.</pre>
</blockquote>
:-)<br>
<br>
Basically I don't want to have another solution on top of a bad
solution (like user/pass) if there are better solutions already working
perfectly instead. It's already in the browser, it works, it's phishing
resistant, it's secure...what else?<br>
<br>
<br>
<div class="moz-signature">
<table border="0" cellpadding="0" cellspacing="0">
<tbody>
<tr>
<td colspan="2">Regards </td>
</tr>
<tr>
<td colspan="2"> </td>
</tr>
<tr>
<td>Signer: </td>
<td>Eddy Nigg, <a href="http://www.startcom.org">StartCom Ltd.</a></td>
</tr>
<tr>
<td>Jabber: </td>
<td><a href="xmpp:startcom@startcom.org">startcom@startcom.org</a></td>
</tr>
<tr>
<td>Blog: </td>
<td><a href="http://blog.startcom.org">Join the Revolution!</a></td>
</tr>
<tr>
<td>Phone: </td>
<td>+1.213.341.0390</td>
</tr>
<tr>
<td colspan="2"> </td>
</tr>
</tbody>
</table>
</div>
<br>
</body>
</html>