On 071209 at 03:55, Nelson Bolyard wrote:
> If FF doesn't have any built-in UI for SRP, I think I have a harder time
> justifying the inclusion of SRP in NSS. I think it's a feature that
> would be included exclusively for use in the browser, so if the browser
> can't use it "out of the box", there may be push back on it.
SRP is a great protocol also for authentication against your email
provider or WLAN[1] access point. It adds KCM through the user password,
an entity that needs to be managed anyway. It's not only protecting
your password but also strengthens authentication in the face of the
common PKI dilemma.
That said, I agree that web-authentication is the major use case for
TLS-SRP in NSS.
> > So the plan was to create a FF extension instead. One that 'fixes' how
> > the security status is displayed(and perceived, hopefully), and also
> > includes some other ideas with regards to phishing attacks. Then
> > the patch against PSM should be very small if needed at all. I hope
> > this way it will be easier to settle on the way the security interface
> > should work and it may also help to evaluate how some other ideas
> > perform.
> Easier? Because it's easier to obtain forgiveness than permission? :-)
Because the usability of such an interface is easier to evaluate and
debug when it does not exist as a outdated crude patch to mozilla cvs
head. It's an primarily an academic project.
Anyway.
I'll try to find my way through the code that handles NSS. It'll
probably go a lot faster for someone who knows psm or c++, but I guess
there all busy, too..
regards,
/steffen
[1] Actually a huge problem, think of PEAP, LEAP, EAP-TLS, EAP-TTLS,
the Cisco-crap etc. All failed attemps to provide secure pw-auth
in a not-so-secure PKI environment.
--
Getting there isn't half the fun, it's all the fun.
-- Robert Townsend
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
