Status of SRP

Ka-Ping Yee cryptography at zesty.ca
Tue May 30 22:00:59 EDT 2006


On Wed, 31 May 2006, James A. Donald wrote:
> The obvious solution to the phishing crisis is the widespread deployment
> of SRP, but this does not seem to happening.  SASL-SRP was recently
> dropped.  What is the problem?

"Phishing" can mean a few different things.  If by "phishing" you
mean the stealing of passwords, then yes, SRP would help to eliminate
that problem, but users could still be fooled into giving away their
SRP passwords if the user interface for entering the password is
convincingly imitated.

Some people use "phishing" to refer to the online capture of
identity-related information in general, in which case SRP falls
far short of a complete solution.  I think it's a difference in
philosophy: some see passwords as the ultimate goal; some see
passwords as one of many possible means to the ultimate end, which
is identity theft.

I'm working on Passpet, a password management tool that tries to
address several of the big phishing-related problems including
password capture and dictionary attack, and for the authentication
part i chose SRP.  So that's one place it's getting used, anyway.


-- ?!ng

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list