Gutmann Soundwave Therapy
Eric Rescorla
ekr at networkresonance.com
Wed Feb 6 17:09:24 EST 2008
At Mon, 04 Feb 2008 14:29:50 +1000,
James A. Donald wrote:
>
> James A. Donald wrote:
> >> I have figured out a solution, which I may post here
> >> if you are interested.
>
> Ian G wrote:
> > I'm interested. FTR, zooko and I worked on part of
> > the problem, documented briefly here:
> > http://www.webfunds.org/guide/sdp/index.html
>
> I have posted "How to do VPNs right" at
> http://jim.com/security/how_to_do_VPNs.html
>
> It covers somewhat different ground to that which your
> page covers, focusing primarily on the problem of
> establishing the connection.
>
> "humans are not going to carry around large
> strong secrets every time either end of the
> connection restarts. In fact they are not going
> to transport large strong secrets any time ever,
> which is the flaw in SSL and its successors such
> as IPSec and DTLS
This paragraph sure is confused.
1. IPsec most certainly is not a successor to SSL. On
the contrary, IPsec predates SSL.
2. TLS doesn't require you to carry around strong secrets.
I refer you to TLS-SRP [RFC 5054]
3. For that matter, even if you ignore SRP, TLS supports
usage models which never require you to carry around
strong secrets: you preconfigure the server's public
key and send a password over the TLS channel. Since
this is the interface SSH uses, the claim that humans
won't do it is manifestly untrue.
-Ekr
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list