[security] Gathering requirements for in-browser OpenID support

[James A. Donald]

Chris Drake wrote:
 > Browsers cannot do asymmetric cryptography out of the
 > context of the site you're visiting, so I think "us
 > doubters" might have a valid point - unless you want
 > to explain how a "stupid user" sitting in front of IE7
 > can use EKE?

By using a smart plugin.

 > If EKE *can* prevent phishers from stealing passwords,
 > how do you explain that no site anyone has ever heard
 > of is doing this today?

Patent issues, and widespread ignorance of the
technology.