On 2013-01-17 9:02 AM, Adam Back wrote:
There was a subthread in this huge PKI-is-failing and doesnt solve
phishing
thread looking at what might solve phishing (modulo engineering and
deployment issues).
To summarize Ian & Ben mentioned and I add a few:
- client side certificates
- password managers
- browser auth
- TPM to make credentials harder to steal
- SRP, EKE
- channel bound auth
- two factor OTP
- single sign on vendors
So clearly the end game is not passwords.
The end game is passwords with srp. Even if you are using client side
certificates, you have to be able to get your PC client side
certificates onto your smartphone, which requires that you sign on to
your PC using a password.
_______________________________________________
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
