- From: Yutaka OIWA <y.oiwa@aist.go.jp>
- Date: Wed, 15 Jun 2011 23:32:32 +0900
- To: Nico Williams <nico@cryptonector.com>
- Cc: "KIHARA, Boku" <bkihara.l@gmail.com>, public-identity@w3.org, http-auth@ietf.org, websec@ietf.org, saag@ietf.org
2011/6/15 Nico Williams <nico@cryptonector.com>: >> * a method that hands over a password (or a password-equivalent) >> * a method whose UI can be imitated by malicious sites. > The protocol and UI are not that closely related. I can't think of > any method that satisfies the first requirement that couldn't have a > secure UI. How about a simple form-field extension which encrypts some password with timed challenges? OK, but your point suggests the following rephrasing: * a UI which can be imitated by malicious sites. Although they are not closely related, but we cannot completely ignore the UI issues . I think that protocol designs should, in some extent, consider how such UI is to be provided (especially when and how they are kicked in). How about it?
Received on Wednesday, 15 June 2011 14:33:01 UTC