[Cryptography] Follow up on my password replacement idea

Phillip Hallam-Baker phill at hallambaker.com
Wed Sep 23 15:16:19 EDT 2015

On Wed, Sep 23, 2015 at 2:09 PM, Ray Dillinger <bear at sonic.net> wrote:

> Just plain NOT asking users to share keys across devices is a really
> good plan - you can't get them to develop secure habits for something
> if it isn't something they do by habit every few hours of every day.
> Not doing  it at all is better.  If you really want to have the same
> accounts on many different devices (which I do not!) then let keys
> for different devices get handled on the server side, because the
> professionals on the server side *are* going to be doing it every
> few hours of every day so they're going to develop a procedure
> that's at least consistent, and they'll review it for security at
> least as often as they get pwned.

With the Mesh there should never be a need for an application key to be
exported from any device with the exception of some RSA decryption keys for
apps like S/MIME. And that should be closed in phase 2.

What this means is that it should be possible to raise the bar to a breach
by using trustworthy hardware to store the keys in a non-exportable fashion.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150923/91d19fe9/attachment.html>

More information about the cryptography mailing list