- From: James A. Donald <jamesd@echeque.com>
- Date: Fri, 15 Feb 2008 14:27:00 +1000
- To: Chris Drake <christopher@pobox.com>
- CC: "Hallam-Baker, Phillip" <pbaker@verisign.com>, David Orchard <dorchard@bea.com>, public-usable-authentication@w3.org
--
Chris Drake wrote:
> Well - technically - you've made a mistake already.
> If passwords belong to users, then there should never
> be any way for users to give passwords to sites. This
> comes back to the hashing problem again, with the
> added annoyance of requiring universal user-agent
> support for something secure as well.
I assume you are talking about SRP or something similar.
We all know that everyone should do passwords using SRP
- at least, all of us that know what SRP is. I have
been giving some thought to the problem of making SRP
usable to your mother in law, and the guy who was given
the job of bringing up the web site because everyone
else was too busy, and it is no so simple as one might
think. Has to be done, of course, and eventually will
be done, just saying it is a hard row to hoe.
Received on Friday, 15 February 2008 04:27:16 UTC