At Wed, 12 Sep 2007 16:58:12 +0200,
Eliot Lear wrote:
Erik,
Eric.
You have to put the two together. If we do, we find that we can solve
the UI problem by taking authentication OUT of known insecure
components. But that requires a protocol to that authentication
component. If one exists, what is it? It requires process
interactions. What are those? All of this needs to be written down IN
THIS CONTEXT. The secure communication path must be capable of opaquely
traveling through a host without knowledge of IP address, for instance.
I have no idea what you're talking about here. This problem can
be solved entirely in the client side software without any
intervension on the wire or in the server, as PwdHash demonstrates
[though of course one could argue that a superior protocol is needed.]
What you're describing sound like secure software architecture issues,
not protocol issues.
We've done stuff like this before, but not in this context. TLS depends
on IP address.
TLS does not depend on IP address.
-Ekr
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf