No, Zed, I'm saying the post we're commenting on is the first time I've heard about you doing 2-factor auth. Why would you think I would comment on a post I hadn't read?
You keep talking about "the math of the Javascript". You're a smart guy. I think you know that we're not saying the math in SJCL is wrong. I don't know what "just browser attacks" mean; you're asking the browser to implement cryptography, the browser is relevant.
Nate does talk about "the math of Javascript", by the way.
I know he talks about it, but he doesn't really. He starts talking about it, and then switches to a browser environment attack.
The main crux of my disagreement with you is that you say: Doing javascript in the browser makes it more vulnerable to an exploit than just doing bcrypt+ssl passwords. However, if someone can exploit the browser (XSS, content modification, etc) then no login system is safe.
In other words, you're pimping bcrypt+ssl as a better alternative because it's NOT vulnerable to browser environment exploits, but it is. Every browser is.
A browser environment exploit is all the things you keep bringing up: cache poisoning, SSL exploits, phishing, XSS attacks, content modification, etc.
You keep talking about "the math of the Javascript". You're a smart guy. I think you know that we're not saying the math in SJCL is wrong. I don't know what "just browser attacks" mean; you're asking the browser to implement cryptography, the browser is relevant.
Nate does talk about "the math of Javascript", by the way.