[Cryptography] SRP for mutual authentication - as an alternative / addition to certificates?
Tony Arcieri
bascule at gmail.com
Wed Aug 5 13:51:33 EDT 2015
On Wed, Aug 5, 2015 at 10:09 AM, Ron Garret <ron at flownet.com> wrote:
> And in particular, has there ever been an attempt that was integrated into
> the browser so that the user could actually have a hope of knowing whether
> or not they were dealing with the One True Password Box? (No, browser
> certificates don’t count. Certs got the underlying auth right but dropped
> the ball in a big way on the UX.)
FIDO U2F derives origin-specific ECC keys (derived using a hardware token)
which are effectively "unphishable":
https://fidoalliance.org/specifications/overview/
It's integrated into Chrome. Support for other browsers has not been
forthcoming though
--
Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150805/e991451c/attachment.html>
More information about the cryptography
mailing list