On Sun, May 24, 2020 at 12:33:17PM +0200, Katarina Eriksson wrote: > It would be nice if we had a separate status code for password input, say > 11. Simple clients could treat this as a 10, intermediate clients could > hide user input behind asterisks and advanced clients could ask to make a > call to the password manager (set up in advance) or whatever other > convenience system there might exist. > > This has been mentioned before but I didn't want to dig through the archive > again. Sorry for the sidetrack. Yes, I proposed precisely this along time ago. It never gained much traction, but then it's only very useful on top of a client certificate and *they* are only just now starting to see use, so maybe it's not too surprising. I think I will add this to the spec. It's very little effort for clients to handle, and it degrades well enough in a client that treats 11 as 10. People will probably do the usename/password thing anyway even without it, so we may as well make it possible to protect against shoulder surfing. Cheers, Solderpunk
---
Previous in thread (7 of 25): 🗣️ solderpunk (solderpunk (a) SDF.ORG)
Next in thread (9 of 25): 🗣️ Sean Conner (sean (a) conman.org)