[Discuss] eliminating passwords
Richard Pieri
richard.pieri at gmail.com
Mon Jul 29 19:59:24 EDT 2013
Derek Martin wrote:
> Which bank operates a kerberized HTTP server that I can use to access
> my accounts online?
I wish I knew of one. It isn't difficult to implement and it would be a
great deal more secure than any SSL-based system. You can blame the US
Government for this one. ITAR didn't permit export of strong, secure
crypto but did permit export of weak crypto like 40-bit DES. At the same
time, the same US Government was pushing hard for key escrow in
cryptographic systems (remember Clipper?) and against web of trust
systems like PGP.
Which left Netscape in a bind when it came time to implement some kind
of communications security in their browser. They chose to roll their
own, Microsoft copied it, and the world has been stuck with SSL ever since.
--
Rich P.
More information about the Discuss
mailing list