I suggest people take a look at CardSpace before continuing this thread. I don't use username/password at all and it is one heck of a lot nicer to use than any system that does. I can in addition make use of a password, smart-token or OTP token but there is no need for a username. Kick this to the IRTF and start an interest/research group there if we are going to do anything.
________________________________ From: Keith Moore [mailto:[EMAIL PROTECTED] Sent: Wed 12/09/2007 11:39 AM To: Eric Rescorla Cc: ietf@ietf.org; Eliot Lear Subject: Re: Symptoms vs. Causes >>> None of the systems I mentioned (TLS-PSK, SRP, PwdHash) has this >>> problem--provided that the user actually uses the new authentication >>> method and doesn't type his password into some Web form. But of >>> course that's a UI problem, not a protocol problem. >>> >>> >> and IMHO, any solution that doesn't let the user type his password into >> some Web form is a non-starter, >> both for reasons of backward compatibility and because sites (quite >> legitimately) want to provide a >> visually attractive interface to users which is consistent across all >> platforms (for support reasons). >> > > This may well be true. > > However, I'm not aware of any technique which both meets this constraint > and is phishing resistant. > nor I. but the first step in solving an unsolvable problem is realizing what you're up against. _______________________________________________ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
_______________________________________________ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
