Re: Draft W3C TAG Finding "Passwords in the Clear" available for review

James A. Donald:
 > > I have been giving some thought to the problem of
 > > making SRP usable to your mother in law...

Chris Drake wrote:
 > Is this hard?  Would this not solve it?:-
 >
 > HTTP/1.1 401 Authorization Required WWW-Authenticate:
 > RFC2945 realm="Authorized access only."
 >
 > It would seem that convincing Microsoft, Apache,
 > Firefox, Opera, Safari, ... is the hard part.  The
 > easy bit is more or less "done"?

I really don't think that solves it.

And you are unlikely to succeed in convincing Mozilla
and Apache to solve it for you.

When Mozilla sees an addon, and Apache a code fork or
module, that your mother in law is using to to do SRP
logon to your web site, and which does not break our
existing security mechanisms, you will find convincing
them considerably easier.

Ninety nine percent of the work is not implementing the
cryptography.  It is implementing the cryptography in a
particular application to solve a particular problem.

 > So anyhow - the usual problem remains - we have
 > elegant solutions to the problem,

Indeed we do.

We also have decades of existing code, which it seems to
me has to be extensively refactored for our elegant
solution to fit cleanly into these decades of existing
code.

Now on another mailing list, people have been flaming me
vehemently for suggesting that major refactoring is
needed.  I would be pleasantly surprised if someone
proved me wrong by actually producing a solution without
radical refactoring, or even a design in sufficient
detail to show it was actually doable.

If it is so damned easy, produce a running sample, a
patched mozilla and patched apache, that your mother in
law uses to login to your web site and leave notes to
her grandkid.  You will then find it a lot easier to
persuade Mozilla and Apache to adopt your patches.
That is how open source works.

Received on Saturday, 16 February 2008 21:56:38 UTC