-- From: Charlie Kaufman
From a legal perspective, they would probably have a better chance with SRP, since Stanford holds a patent and might be motivated to support the challenge.
The vast majority of phishing attacks and other forms of man in the middle attack seek to steal existing shared secrets - passwords, social security numbers, credit card numbers. I figured that the obvious solution to all this was to deploy zero knowledge technologies, where both parties prove knowledge of the shared secret without revealing the shared secret. Now I see that zero knowledge technologies have been deployed - or almost so: SRP-TLS-OpenSSL http://www.edelweb.fr/EdelKey/ (not quite ready for prime time) And SRP GNU-TLS http://www.gnu.org/software/gnutls/manual/html_node/ Of course, actual use of these technologies means that the browser chrome, not the web page, must set up and verify the password. --digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG FtM0KMPHrqFLxpaSShaR05Rlxb8CnxF4pHnz9Yqy 4RHOMGs4NJv8heDXAxtfYQ4sYI82tcElZ5wJ4qgvc