On 071209 at 03:55, Nelson Bolyard wrote:
If FF doesn't have any built-in UI for SRP, I think I have a harder time
justifying the inclusion of SRP in NSS. I think it's a feature that
would be included exclusively for use in the browser, so if the browser
can't use it "out of the box", there may be push back on it.
SRP is a great protocol also for authentication against your email
provider or WLAN[1] access point. It adds KCM through the user password,
an entity that needs to be managed anyway. It's not only protecting
your password but also strengthens authentication in the face of the
common PKI dilemma.
That said, I agree that web-authentication is the major use case for
TLS-SRP in NSS.
So the plan was to create a FF extension instead. One that 'fixes' how
the security status is displayed(and perceived, hopefully), and also
includes some other ideas with regards to phishing attacks. Then
the patch against PSM should be very small if needed at all. I hope
this way it will be easier to settle on the way the security interface
should work and it may also help to evaluate how some other ideas
perform.
Easier? Because it's easier to obtain forgiveness than permission? :-)
Because the usability of such an interface is easier to evaluate and
debug when it does not exist as a outdated crude patch to mozilla cvs
head. It's an primarily an academic project.
Anyway.
I'll try to find my way through the code that handles NSS. It'll
probably go a lot faster for someone who knows psm or c++, but I guess
there all busy, too..
regards,
/steffen
[1] Actually a huge problem, think of PEAP, LEAP, EAP-TLS, EAP-TTLS,
the Cisco-crap etc. All failed attemps to provide secure pw-auth
in a not-so-secure PKI environment.
--
Getting there isn't half the fun, it's all the fun.
-- Robert Townsend
9 messages in org.mozilla.lists.dev-tech-cryptoRe: Comment on tls-srp enhancement?
