On 2014-04-30 02:14, Jeffrey Goldberg wrote:
On 2014-04-28, at 5:00 PM, James A. Donald <[email protected]> wrote:
Cannot outsource trust Ann usually knows more about Bob than a distant
authority does.
So should Ann verify the fingerprints of Amazon, and Paypal herself?
Ann should be logging on by zero knowledge password protocol, so that
the entity that she logs on to proves it already knows the hash of her
password.
ZKPP has to be in the browser chrome, not on the browser web page.
How do you see that working assuming that Ann is an �ordinary user�?
To the ordinary user, should not behave any different, and should only
look different in that the ZKPP login screen looks different from any
possible web page in a way that is quite difficult to fake for any
software that does not already have total control of the users machine.
Details of how to achieve unfakeable logon screen appearance depend on
OS version. To make the ZKPP logon screen in Windows 7 different from
any possible web page, have the browser web page vanish when the
browser's genuine ZKPP logon screen is up. Analogous but different
gimmicks are feasible in other operating systems and system versions.
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography
