- From: James A. Donald <jamesd@echeque.com>
- Date: Wed, 14 Jun 2006 11:34:48 +1000
- To: Amir Herzberg <herzbea@macs.biu.ac.il>
- CC: public-usable-authentication@w3.org
--
James A. Donald:
> > Oops, we are on a new computer? Random number [from
> > which passwords are constructed] is not there? Then
> > do an SRP login to the server of the company issuing
> > the login program, and get a copy of the large
> > random number. This means that the company issuing
> > the login program can launch a dictionary attack on
> > your master password, as can anyone who has access
> > to one of your logins and access to a computer on
> > which you used the login program, but no one else
> > can launch a dictionary attack.
Amir Herzberg wrote:
> Do you mean to authenticate to the `login helper
> trusted party (LHTP)` using as a shared key the hash
> of your master password, and they'll send the user's
> `random number` ? That does seem a reasonable
> solution.
Yes, that is what I had in mind. People could set up
their own LHTP, and should, though I suspect that in 99%
of cases they would not.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
qBdRErAutLEdjR1mPQ2Zl2Eqn7IF8CyS2TA5vCzq
44H3q2ghG+CUbrkg8p+dXd4XpoSEkKZ5rIdaUttU6
Received on Wednesday, 14 June 2006 01:34:42 UTC