top | item 14757628

(no title)

joegosse | 8 years ago

I love the idea of zero-knowledge password proofs. Others can chime in on the approach you've proposed, but I have a more practical concern about developing critical mass.

How do you break through the chicken and egg problem of not enough users using or not enough browsers supporting this capability?

discuss

kerkeslager|8 years ago

If it's a field on inputs of type password, all you'd get is something like:

Browsers that support the password-nonce argument sign as I described. Browsers that don't support it pass through the password and the server performs the ZKPP key generation (this is no worse than the current system of hashing passwords). So servers can implement this immediately without worrying about breaking in non-supporting browsers.

After adoption by a few major sites, browsers can add a warning that the server didn't send a password nonce and the password will be passed to the server so the user has to click "Okay" before it gets submitted. This can be escalated to more severe messages to pressure more sites to comply.

dredmorbius|8 years ago

Find a large user who feels this is a valuable feature and have them adopt it.

Governments are one such large customer.

Vendors, faced with multiple customers requesting a feature, but with slightly varying specifications, will tend to seek a mutually acceptable spec.