Client Certificate UI for Chrome?
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Sun Aug 16 20:57:54 EDT 2009
"James A. Donald" <jamesd at echeque.com> writes:
>[Incredibly complicated description of web scripting plumbing deleted]
We seem to be talking about competely different things here. For a typical
application, say online banking, I connect to my bank at www.bank.com or
whatever, the browser requests my credential information, and the TLS-SRP or
TLS-PSK channel is established. That's all. There's no web application
framework and PHP and scripting and other stuff at all, in fact I can't even
see how you'd inject this into the process.
>Further, if we do the SRP dance every single page, it is a huge performance
>hit, with many additional round trips. One loses about 20 percent of one's
>market share for each additional round trip.
You only do it once when the TLS session is set up, it's exactly as for
standard TLS except that instead of PKI-based non-authentication you use
cryptographic mutual authentication. How do you get an SRP exchange for every
web page?
Peter.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list