You know this is why you should use ssh-keys and disable password
authentication. First thing I do when someone gives me an ssh account.
ssh-keys is the EKE(*) equivalent for ssh. EKE for web login is decades
overdue and if implemented and deployed properly in the browser and server
could prett
Adam Back writes:
>EKE for web login is decades overdue and if implemented and deployed properly
>in the browser and server could pretty much wipe out phishing attacks on
>passwords.
>
>We have source code for apache, mozilla, maybe could persuade google; and
>perhaps microsoft and apple could be
Hi,
> You know this is why you should use ssh-keys and disable password
> authentication. First thing I do when someone gives me an ssh account.
Using keys to authenticate is what I usally do, too. But even if a user
decides not to use plain password auth, switching off password-based
access glo
On 13/07/11 9:27 PM, Ralph Holz wrote:
Hi,
You know this is why you should use ssh-keys and disable password
authentication. First thing I do when someone gives me an ssh account.
Using keys to authenticate is what I usally do, too. But even if a user
decides not to use plain password auth,
Hi,
On 07/13/2011 01:34 PM, Ian G wrote:
> Is there any reason why the ssh client-side can't generate the key, take
> the password from the user, login and install the key, all in one
> operation?
Hm, I think there's actually a tool to do just that, although I don't
remember the name. You'd proba
On 2011-07-13 8:49 PM, Adam Back wrote:
EKE for web login is decades
overdue and if implemented and deployed properly in the browser and server
could pretty much wipe out phishing attacks on passwords.
EKE requires a change in the browser, in the server, and in the login page.
We have source
On 2011-07-13 9:10 PM, Peter Gutmann wrote:
As for Microsoft, Opera, etc who knows? (If you work on, or have worked on,
any of these browsers, I'd like to hear more about why it hasn't been
considered). I think it'll be a combination of two factors:
1. Everyone knows that passwords are insecur
On Wed, Jul 13, 2011 at 2:17 PM, James A. Donald wrote:
> On 2011-07-13 9:10 PM, Peter Gutmann wrote:
>>
>> As for Microsoft, Opera, etc who knows? (If you work on, or have worked
>> on,
>> any of these browsers, I'd like to hear more about why it hasn't been
>> considered). I think it'll be a c
On 07/13/2011 01:33 PM, Jeffrey Walton wrote:
I believe Mozilla is [in]directly supported by Google. Mozilla has
made so much money, they nearly lost their tax exempt status:
http://tech.slashdot.org/story/08/11/20/1327240/IRS-Looking-at-GoogleMozilla-Relationship.
Mozilla has a lot of cash in
On 14/07/11 4:33 AM, Jeffrey Walton wrote:
On Wed, Jul 13, 2011 at 2:17 PM, James A. Donald wrote:
On 2011-07-13 9:10 PM, Peter Gutmann wrote:
As for Microsoft,
Microsoft have a big interest in bypassing the status quo, and they've
tried several times. But each time it isn't for the bene
Ian G wrote:
> Well, not financially, more like the policy side is impacted by the
> CAs, which are coordinated in a confidential industry body called
> CABForum. This body communicates internally to Mozilla (being a
> member) and via private comment by CAs to the CA desk.
AFAIK, the CABForum has
Jeffrey Walton writes:
>I was also talking with a fellow who told me NSS is owned by Red Hat. While
>NSS is open source, the validated module is proprietary. I don't use NSS (and
>have no need to interop with the library), so I never looked into the
>relationship.
The person that I quoted in my
Ian G writes:
>Microsoft have a big interest in bypassing the status quo, and they've tried
>several times. But each time it isn't for the benefit of the users, more for
>their own benefit, in that they've tried to rebuild the security
>infrastructure with themselves in control. (recall .net, I
Ian G wrote:
> The chances of them approving or agreeing to EKE are next to nil.
>
> The problem with Mozilla security
> coding is more this: most (all?) of the programmers who work in that
> area are all employees of the big software providers. And they all
> have a vested interest in working for
Good day,
> This like designing a bicycle with three and half wheels. Any
> restructuring that makes DNSSEC useful would make the CAs useless. The
> goal of their design is not to make DNSSEC useful, but to make it useful
> in a fashion that does not harm the CA business model.
With one notable
Peter Gutmann stated..
>
> The person that I quoted in my message is effectively Mr.NSS. I'd say his
> statement is fairly authoritative
my understanding is that that is no longer the case.
=JeffH
___
cryptography mailing list
cryptography@randombit
Peter Gutmann stated..
> The person that I quoted in my message is effectively Mr.NSS. I'd say
> his
> statement is fairly authoritative
On 2011-07-16 4:16 AM, =JeffH wrote:
my understanding is that that is no longer the case.
We have a massive crisis (phishing) which Eke can solve, and
cer
17 matches
Mail list logo
