- From: Nico Williams <nico@cryptonector.com>
- Date: Wed, 15 Jun 2011 09:17:26 -0500
- To: "KIHARA, Boku" <bkihara.l@gmail.com>
- Cc: Peter Gutmann <pgut001@cs.auckland.ac.nz>, http-auth@ietf.org, public-identity@w3.org, websec@ietf.org, saag@ietf.org
On Wed, Jun 15, 2011 at 4:44 AM, KIHARA, Boku <bkihara.l@gmail.com> wrote: > To make the goal clear, let's list what kind of authentication methods > should be avoided. One item is methods that hand over passwords, > mentioned by Peter. Let me add methods whose UI can be imitated and > the result can be forged by malicious sites. Like a padlock icon that > insists the session is secured by TLS inside content area, Is a _secure_ > authentication method inside content area truly reliable? > > * a method that hands over a password (or a password-equivalent) > * a method whose UI can be imitated by malicious sites. The protocol and UI are not that closely related. I can't think of any method that satisfies the first requirement that couldn't have a secure UI. Nico --
Received on Wednesday, 15 June 2011 14:17:51 UTC