AW: AW: Secure Chrome from Jörg Schwenk on 2006-06-15 (public-usable-authentication@w3.org from June 2006)

From: Jörg Schwenk <joerg.schwenk@ruhr-uni-bochum.de>
Date: Thu, 15 Jun 2006 12:17:10 +0200
To: "'Amir Herzberg'" <amir.herzberg@gmail.com>
Cc: <public-usable-authentication@w3.org>
Message-ID: <002001c69064$dd6f0e10$3fa0fcd9@jotop>

Amir, thanks for the information. We have a group working on XML security
here, so it would be nice to get some details when you have finished the
implementation.

Could the following be a standard way to change passwords:
- m master password
- s secret random number, stored in browser and at the `login helper trusted
party (LHTP)`
- d DNS domain name of the web site visited, which is also stored in the SSL
certificate
- x = HMAC(m; s, d)   [HMAC is implemented in TLS]
- new_passwd: the last (first) n characters of the base64 encoding of x,
excluding padding

Joerg Schwenk

-----Ursprüngliche Nachricht-----
Von: Amir Herzberg [mailto:amir.herzberg@gmail.com] 
Gesendet: Donnerstag, 15. Juni 2006 00:09
An: Jörg Schwenk
Cc: public-usable-authentication@w3.org
Betreff: Re: AW: Secure Chrome

Jörg Schwenk wrote:
> Sounds like a very interesting idea, and I can imagine how it works for
> standard username/password. Do you have any ideas how to handle
non-standard
> logins, e.g. username/email/creditcard/password, or transaction numbers
from
> a TAN list (system used by all german banks)?
>   
Joerg, thanks. Yes, actually, our prototype already handles other fields 
(not only passwords) and indeed a very natural other application is to 
protect credit card numbers , and of course other input fields. We use 
an XML schema for identifying the relevant fields, etc., so it is quite 
easy to extend.

One problem, though, is that we don't have a standard mechanism for 
changing user's password.

Amir Herzberg
> Joerg Schwenk
>
> -----Ursprüngliche Nachricht-----
> Von: public-usable-authentication-request@w3.org
> [mailto:public-usable-authentication-request@w3.org] Im Auftrag von Amir
> Herzberg
> Gesendet: Dienstag, 13. Juni 2006 17:47
> An: James A. Donald
> Cc: public-usable-authentication@w3.org
> Betreff: Re: Secure Chrome
>
>
> James A. Donald wrote:
>   
>> User does not look at routine chrome.  Does not look at
>> irrelevant information.
>>     
> agree
>   
>> We have to make the login page special in an obvious and
>> dramatic way - and not make all the other pages special,
>> because then it just turns into noise and the user tunes
>> it out - so login and account creation has to be part of
>> the browser, not a web page.
>>     
> I agree. Our in-development code modifies login pages so that login is 
> always done via our control in the Chrome - user never enters password 
> in a web form (we can also auto-fill the password so users don't need to 
> type it at all). Feedback?
>
> Amir Herzberg
>
>
>
>

Received on Thursday, 15 June 2006 11:13:47 UTC