[cap-talk] Webkeys vs. the web

David-Sarah Hopwood david.hopwood at industrial-designers.co.uk
Tue Mar 24 15:02:22 EDT 2009


Rob Meijer wrote:
> On Mon, March 23, 2009 21:22, Stiegler, Marc D wrote:
>> I am presuming that the service would be using the "forgot your password"
>> protocol anyway for people who forget their password. In which case, there
>> is no increase in vulnerability: an attacker who has the prerequisite mitm
>> authority can always simply run this attack against you anyway, just by
>> clicking "forgot my password" button for you :-)
> 
> I am surprised that you would consider name/password authentication at all.
> If there is a need for proof of identity, client certificates would IMHO
> be the preferred tool for this.

Cripes, no. Client certificates have an unusable browser UI. Besides, they
don't solve the problem of allowing use from another browser, or from a
cybercafe.

-- 
David-Sarah Hopwood ⚥



More information about the cap-talk mailing list