<rant>

I don't want to spark an anti-MS debate over this thread but in my opinion
MS has unduly used it market again in not shipping a JRE. As soon as
technology is superior, they appear to find a good excuse why it can't go
into popular desktop OS's and discourage its use, usually in favor of their
own which magically is ready to be shipped with the latest product.

Almost all good technology pundits will tell you Java and J2EE is superior
technology. Its more widely adopted than proprietary technologies and will
likely win though in the end. I for one am in the process of converting my
life to a 100% Non-Microsoft one after the decision to drop Java (and
originally Java from the Visual Studio for .NET support). I live in the US,
where I am used to being able to make choices for myself and I intend to
make the choice of technology I have on my desktop for myself. Other users
like my mother may not be able to make those choices for themselves.

</rant>

Few points :

Why would u choose to put an active-x control on a desktop with limited Unix
support and a huge upsurge in Linux on peoples desktops ? You are cutting
out a huge chunk of your customers....only 80& of the world run MS, in large
user bases like Yahoo with 180 million users that's 23.6 million users who
wouldn't be able to use your system.

Do it though a browser using open standards and you won't have this problem
(MS may treat JavaScript like Java in view of its VBScript, history would
say I am right !)

Your customers will almost certainly need a JRE for other applications so I
wouldn't be that concerned.

I am not familiar with Tom Wu's scheme at all but implementing it in
JavaScript doesn't sound right to me...client-side validation can't be
trusted (at least not yet ;-))

Mark

-----Original Message-----
From: Dawes, Rogan (ZA - Johannesburg) [mailto:rdawesdeloitte.co.za]
Sent: Thursday, October 25, 2001 7:26 AM
To: webappsecsecurityfocus.com
Subject: Tom Wu's Secure Remote Password in IE6.0 XP?

Hi folks,

I am planning on implementing Tom Wu's Secure Remote Password protocol for
logging in to a new web application that is being developed. The nice thing
about SRP is that it can be used to protect the password from the web site
operators as well - the password is never passed in a recoverable format, so
there is no temptation for the admins etc.

Tom has already assisted me in getting a JavaScript implementation of it
working under both Netscape (using direct JavaScript calls to the underlying
Java BigInteger classes) and Internet Explorer (using a tiny Java wrapper
around the BigInteger classes). (See http://srp.stanford.edu/demo.html)

However, I understand that IE6.0 as shipped with Windows XP does not have a
Java Virtual Machine, and so this method will not work on the new XP clients
out there. That is, without requiring the client to download a 5MB JRE
first!

I am now trying to find alternative mechanisms of implementing the
BigInteger functionality in these browsers.

My thoughts are along the lines of an OCX, or other native Microsoft applet
(.NET?) that does not depend on Java. This would still be scripted by
JavaScript if necessary, as this would allow for updates without having to
recompile the OCX.

Does this sound like a reasonable approach? If so, does anyone have any
pointers to existing solutions in this space?

I am in charge of specifying the security, not coding the application, and
as such, am not really a web developer at all.

Thanks for any sugestions.

Rogan

--
In God we Trust -- all others must submit an X.509 certificate.
     -- Charles Forsythe <forsythealum.mit.edu>
--
Deloitte & Touche Information Security Services
Tel: +27(11)806-6216     Fax: +27(11)806-5202     Cell: +27(82)784-9498
--
NOTE:  This e-mail message and its attachments is subject to the
       disclaimers as published at:
       http://www.deloitte.co.za/disc.htm#emaildisc

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]