Client certificate musings

[solderpunk]

On Sun, May 24, 2020 at 12:33:17PM +0200, Katarina Eriksson wrote:
 
> It would be nice if we had a separate status code for password input, say
> 11. Simple clients could treat this as a 10, intermediate clients could
> hide user input behind asterisks and advanced clients could ask to make a
> call to the password manager (set up in advance) or whatever other
> convenience system there might exist.
> 
> This has been mentioned before but I didn't want to dig through the archive
> again. Sorry for the sidetrack.

Yes, I proposed precisely this along time ago.  It never gained much
traction, but then it's only very useful on top of a client certificate
and *they* are only just now starting to see use, so maybe it's not too
surprising.

I think I will add this to the spec.  It's very little effort for
clients to handle, and it degrades well enough in a client that
treats 11 as 10.  People will probably do the usename/password thing
anyway even without it, so we may as well make it possible to protect
against shoulder surfing.

Cheers,
Solderpunk