Status of SRP
Travis H.
solinym at gmail.com
Fri Jun 2 07:47:11 EDT 2006
On 5/30/06, Derek Atkins <warlord at mit.edu> wrote:
> Quoting "James A. Donald" <jamesd at echeque.com>:
> > The obvious solution to the phishing crisis is the widespread
> > deployment of SRP, but this does not seem to happening. SASL-SRP was
> > recently dropped. What is the problem?
>
> Patents.
Seconded. When I was doing some software development, we investigated
strong password solutions, and to my knowledge they were all under the
shadow of patents.
In the end, it didn't matter, since I was using it in a distributed
IDS system, and users weren't necessarily going to be present, even at
boot. For machine-to-machine authentication, they're irrelevant
(assuming a good source of unpredictability). For everything but
first-time authentication between the browser and the site, and key
changes, they can be ignored in favor of cached keys (a la ssh) if you
can design a UI that presents them in an easy-to-understand manner.
Rumor has it that Vista will send every URL visited to Microsoft for
vetting against a blacklist ostensibly to protect users against
phishing*, which I suppose trades one problem for another, although
for most people's concerns it's probably a win, since they're running
a MS product in the first place. It can allegedly be turned off.
[*] When it was announced that the low-cost Asian version of Windows
would only be able to run a limited number of programs at once (I
think it was four), MS's PR department described the limit as being
there to "reduce confusion". That's either insulting to all Asian's
intelligence, or everyone's, depending on how credulous you are. I
wonder how much they get paid to come up with things like that.
--
Scientia Est Potentia -- Eppur Si Muove
Security "guru" for rent or hire - http://www.lightconsulting.com/~travis/ -><-
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list