I suggest people take a look at CardSpace before continuing this thread.
I don't use username/password at all and it is one heck of a lot nicer to use
than any system that does. I can in addition make use of a password,
smart-token or OTP token but there is no need for a username.
Kick this to the IRTF and start an interest/research group there if we are
going to do anything.
________________________________
From: Keith Moore [mailto:moore(_at_)cs(_dot_)utk(_dot_)edu]
Sent: Wed 12/09/2007 11:39 AM
To: Eric Rescorla
Cc: ietf(_at_)ietf(_dot_)org; Eliot Lear
Subject: Re: Symptoms vs. Causes
None of the systems I mentioned (TLS-PSK, SRP, PwdHash) has this
problem--provided that the user actually uses the new authentication
method and doesn't type his password into some Web form. But of
course that's a UI problem, not a protocol problem.
and IMHO, any solution that doesn't let the user type his password into
some Web form is a non-starter,
both for reasons of backward compatibility and because sites (quite
legitimately) want to provide a
visually attractive interface to users which is consistent across all
platforms (for support reasons).
This may well be true.
However, I'm not aware of any technique which both meets this constraint
and is phishing resistant.
nor I. but the first step in solving an unsolvable problem is realizing
what you're up against.
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf