On Sat, 10 Oct 2015, Edward Ned Harvey (lopser) wrote:
From: David Lang [mailto:da...@lang.hm]
The think you seem to be missing is that in most cases, bad actor insiders can
do so much damage to you that getting your password is probably the least
dangerous thing that can happen to you.
I am
> From: David Lang [mailto:da...@lang.hm]
>
> The think you seem to be missing is that in most cases, bad actor insiders can
> do so much damage to you that getting your password is probably the least
> dangerous thing that can happen to you.
I am advocating authentication without exposure of pas
On Sat, 10 Oct 2015, Edward Ned Harvey (lopser) wrote:
The whole point of the thread (and of cbcrypt) is to never expose passwords or
encryption keys to servers, because hackers or bad employees sometimes get it
and do bad stuff with it.
The think you seem to be missing is that in most cases,
> From: David Nolan [mailto:vitr...@gmail.com]
>
> One of the tenants of the pkinit rfc is that it makes the Kerberos initial key
> exchange better, not because the key/password isn't exposed to the KDC,
> but because the key isn't generated from a password. Any mechanism for
> generating a key
On Saturday, October 10, 2015, Edward Ned Harvey (lopser) <
lop...@nedharvey.com> wrote:
> They should be able to authenticate without exposing their password. BTW,
> this characteristic would be nice to add to Kerberos and OAuth, but that's
> not something I'm immediately looking into.
>
>
You
> From: tech-boun...@lists.lopsa.org [mailto:tech-boun...@lists.lopsa.org]
> On Behalf Of Jonathan Billings
>
> The reason why I think that Brandon and I are really pushing this
> concept is that this is pretty well-established crypto. It works
> really well. It has its downsides -- and I think
