Eric Rescorla wrote: > Eliot Lear <[EMAIL PROTECTED]> wrote: > >> Eric Rescorla wrote: >> That the password is at all related to the hash result at all is an >> (IMHO) unnecessary risk that would in our scenarios impact more than a >> single service. There exists methods where this is NOT the case. >> > > Yes, there do. But they all involve lugging some object around, > in which case the problem becomes vastly easier. We need > a system which doesn't require a token. >
That's not true, Eric. Anything you can lug around can be "lugged" around in software. It doesn't solve the malware/bot problem, but the two issues are separate and distinct. Eliot _______________________________________________ dix mailing list [email protected] https://www1.ietf.org/mailman/listinfo/dix
