- From: Chris Drake <christopher@pobox.com>
- Date: Tue, 13 Jun 2006 01:01:40 +1000
- To: "Hallam-Baker, Phillip" <pbaker@verisign.com>
- CC: "Frederick Hirsch" <frederick.hirsch@nokia.com>, "George Staikos" <staikos@kde.org>, <public-usable-authentication@w3.org>
Hi Phillip, > Preventing that attack is the job of the operating system. > If the O/S is compromised there can be no security. This is only true when the OS has been compromised by something specifically targeting your authentication system (or, like the pile of banking viruses and trojans did, targeting the more general case of any browser window with passwords, or that had credit card numbers keyed into them). I don't believe we should declare all protection against client-side attacks "out of scope", nor should we not at least attempt to do what we can while the O/S people tinker about the edges of this problem. No fix has arrived for two decades so far - so I think it's more than reasonable to assume that O/S vendors are not going to be delivering one anytime soon. Either we protect our users - or nobody does. Kind Regards, Chris Drake
Received on Monday, 12 June 2006 15:02:12 UTC