On 15/09/2010 00:26, Nicolas Williams wrote: > On Tue, Sep 14, 2010 at 03:16:18PM -0500, Marsh Ray wrote: >> How do you deliver Javascript to the browser securely in the first >> place? HTTP? > > I'll note that Ben's proposal is in the same category as mine (which > was, to remind you, implement SCRAM in JavaScript and use that, with > channel binding using tls-server-end-point CB type). > > It's in the same category because it has the same flaw, which I'd > pointed out earlier: if the JS is delivered by "normal" means (i.e., by > the server), then the script can't be used to authenticate the server.
That's one of the reasons I said it was only good for experimenation. -- http://www.apache-ssl.org/ben.html http://www.links.org/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com