On 1 May 2014 08:19, James A. Donald <[email protected]> wrote: > On 2014-04-30 02:14, Jeffrey Goldberg wrote: >> >> On 2014-04-28, at 5:00 PM, James A. Donald <[email protected]> wrote: >> >>> Cannot outsource trust Ann usually knows more about Bob than a distant >>> authority does. >> >> >> So should Ann verify the fingerprints of Amazon, and Paypal herself? > > > Ann should be logging on by zero knowledge password protocol, so that the > entity that she logs on to proves it already knows the hash of her password.
EXACTLY!!! > ZKPP has to be in the browser chrome, not on the browser web page. This seems obvious, but experiments show users do not understand it. We have yet to find a satisfactory answer to a trusted path for ordinary users. > How do you see that working assuming that Ann is an �ordinary user�? > > To the ordinary user, should not behave any different, and should only look > different in that the ZKPP login screen looks different from any possible > web page in a way that is quite difficult to fake for any software that does > not already have total control of the users machine. > > Details of how to achieve unfakeable logon screen appearance depend on OS > version. To make the ZKPP logon screen in Windows 7 different from any > possible web page, have the browser web page vanish when the browser's > genuine ZKPP logon screen is up. Analogous but different gimmicks are > feasible in other operating systems and system versions. Once more: technically unfakeable turns out to be a long way from usably unfakeable. _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
