[Cryptography] Toxic Combination

Ben Laurie benl at google.com
Wed Dec 3 12:56:47 EST 2014

On Wed Dec 03 2014 at 4:51:53 PM Peter Gutmann <pgut001 at cs.auckland.ac.nz>

> Benjamin Kreuter <brk7bx at virginia.edu> writes:
> >So. What would it take to get
> >
> >(1) scrypt/some other sequential-hard KDF
> >
> >(2) a zero-knowledge challenge-response PAKE protocol
> >
> >into UAs?
> If by "UAs" you mean "browsers" then the answer is "something on the order
> of
> divine intervention".  The browser vendors have to date shown themselves
> to be
> totally resistant to implementing anything that would threaten the CA
> business
> model, so it's unlikely that something like TLS-SRP or TLS-PSK will ever be
> supported.

I think that's a completely unfair accusation - the difficulty has always
been the lack of a _usable_ way to _securely_ implement such protocols.

And by "usable" I mean a user experience that is

a) satisfactory to the user.

b) satisfactory to the site operator.

c) possible to transition to from existing systems easily (for at least the

And it has to be secure - which includes "not allow credential theft _even
by the site operator_".

This appears to be a tall order. But produce it, and I would certainly
fight hard for implementation.

BTW, its not clear to me how either of these would remove the need for
something with a CA-like role.

Also, the same difficulty is a barrier to PAKEs.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20141203/35fe4066/attachment.html>

More information about the cryptography mailing list