[cap-talk] Webkeys vs. the web
daw at cs.berkeley.edu
Tue Mar 24 21:50:12 EDT 2009
> Seems to me we cannot fix this crisis without client
> side tools that alter client side cryptographic
> behavior, for example, client side tools that do
> password-authenticated key agreement, and manage web
> keys in ways that reflect the fact that they are web
> keys, not regular bookmarks.
OK. My point is that I don't think we can expect individual web sites
to demand their users to deploy such tools; that's a non-starter and
fails to recognize the incentives and concerns facing web site operators.
> Security must be end to end, requiring software at both
> ends. Any retrofit leaves ugly seams exposed that allow
> attack and inconvenience the end user.
To a rough approximation,
You're saying: "anything other than this won't be secure"
I'm saying: "this is non-trivial to deploy"
Note that these two statements are not incompatible.
More information about the cap-talk