[cap-talk] Webkeys vs. the web

David Wagner daw at cs.berkeley.edu
Tue Mar 24 21:50:12 EDT 2009


> Seems to me we cannot fix this crisis without client
> side tools that alter client side cryptographic
> behavior, for example, client side tools that do
> password-authenticated key agreement, and manage web
> keys in ways that reflect the fact that they are web
> keys, not regular bookmarks.

OK.  My point is that I don't think we can expect individual web sites
to demand their users to deploy such tools; that's a non-starter and
fails to recognize the incentives and concerns facing web site operators.

> Security must be end to end, requiring software at both
> ends.  Any retrofit leaves ugly seams exposed that allow
> attack and inconvenience the end user.

To a rough approximation,
You're saying: "anything other than this won't be secure" 
I'm saying: "this is non-trivial to deploy"

Note that these two statements are not incompatible.


More information about the cap-talk mailing list