TLS-SRP & TLS-PSK support in browsers (Re: Dutch Transport Card Broken)
Victor Duchovni
Victor.Duchovni at MorganStanley.com
Thu Feb 7 10:37:57 EST 2008
On Thu, Feb 07, 2008 at 08:47:20PM +1300, Peter Gutmann wrote:
> Victor Duchovni <Victor.Duchovni at MorganStanley.com> writes:
>
> >While Firefox should ideally be developing and testing PSK now, without
> >stable libraries to use in servers and browsers, we can't yet expect anything
> >to be released.
>
> Is that the FF devlopers' reason for holding back? Just wondering... why not
> release it with TLS-PSK/SRP anyway (particularly with 3.0 being in the beta
> stage, it'd be the perfect time to test new features), tested against existing
> implementations, then at least it's ready for when server support appears. At
> the moment we seem to be in a catch-22, servers don't support it because
> browsers don't, and browsers don't support it because servers don't.
I don't have any idea why or why not, but all they can release now is
source code with #ifdef openssl >= 0.9.9 ... do PSK stuff ... #endif,
with binaries (dynamically) linked against the default OpenSSL on the
oldest supported release of each platform... For RedHat 4.x systems,
for example, that means that binary packages use 0.9.7...
Distributions that build their own Firefox from source may at some point
have PSK (once they ship OpenSSL 0.9.9). I don't think we will see this
available in many user's hands for 2-3 years after the code is written
(fielding new systems to the masses takes a long time...).
--
/"\ ASCII RIBBON NOTICE: If received in error,
\ / CAMPAIGN Victor Duchovni please destroy and notify
X AGAINST IT Security, sender. Sender does not waive
/ \ HTML MAIL Morgan Stanley confidentiality or privilege,
and use is prohibited.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list