[Cryptography] SRP for mutual authentication - as an alternative / addition to certificates?

Tony Arcieri bascule at gmail.com
Wed Aug 5 13:51:33 EDT 2015


On Wed, Aug 5, 2015 at 10:09 AM, Ron Garret <ron at flownet.com> wrote:

> And in particular, has there ever been an attempt that was integrated into
> the browser so that the user could actually have a hope of knowing whether
> or not they were dealing with the One True Password Box?  (No, browser
> certificates don’t count.  Certs got the underlying auth right but dropped
> the ball in a big way on the UX.)


FIDO U2F derives origin-specific ECC keys (derived using a hardware token)
which are effectively "unphishable":

https://fidoalliance.org/specifications/overview/

It's integrated into Chrome. Support for other browsers has not been
forthcoming though

-- 
Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150805/e991451c/attachment.html>


More information about the cryptography mailing list