Client Certificate UI for Chrome?
Wes Felter
wesley at felter.org
Wed Aug 12 19:26:02 EDT 2009
James A. Donald wrote:
> For password-authenticated key agreement such as TLS-SRP
> or TLS-PSK to work, login has to be in the chrome.
Regrettably, login in the (non-customizable) chrome is unusable; this is
why *everyone* now uses cookies instead of HTTP authentication. Just
asking the user for a username instead of an email address can trip them up.
SSL has a worse problem AFAIK, which is that the server either always
asks for a client cert (before the login page) or never asks, but I
think we want to show a login page over SSL, *then* ask the user for
their cert or password.
Despite its complexity, I'm thinking that something like infocards --
where some HTML tag or JS API can trigger the browser to perform secure
authentication with an unspoofable UI -- is the way to go.
Wes Felter
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list