[Cryptography] SRP for mutual authentication - as an alternative / addition to certificates?

Ben Laurie ben at links.org
Wed Aug 5 14:51:44 EDT 2015


On Wed, 5 Aug 2015 at 18:51 Tony Arcieri <bascule at gmail.com> wrote:

> On Wed, Aug 5, 2015 at 10:09 AM, Ron Garret <ron at flownet.com> wrote:
>
>> And in particular, has there ever been an attempt that was integrated
>> into the browser so that the user could actually have a hope of knowing
>> whether or not they were dealing with the One True Password Box?  (No,
>> browser certificates don’t count.  Certs got the underlying auth right but
>> dropped the ball in a big way on the UX.)
>
>
> FIDO U2F derives origin-specific ECC keys (derived using a hardware token)
> which are effectively "unphishable":
>
> https://fidoalliance.org/specifications/overview/
>
> It's integrated into Chrome. Support for other browsers has not been
> forthcoming though
>

I use one of those, but it doesn't really help with my other devices.

And I'm screwed if I lose it (well, I'm not, because I'll be given another,
but if I were a member of the public I would be).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150805/dfb32d59/attachment.html>


More information about the cryptography mailing list