[Cryptography] To what is Anderson referring here?
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Wed Jun 4 05:57:13 EDT 2014
Christian Huitema <huitema at huitema.net> writes:
>EKE would probably be deployed more often if people were not concerned with
>the patents.
It's not the patents, it's because you use certificates for situations where
EKE would be appropriate. No other options (for example EKE) exist. Look at
browsers, TLS-SRP and TLS-PSK have been standardised, and freely usable, for
years but no browser (or web server) vendor supports them, or is interested in
supporting them. SSH is no better, you fire up a tunnel and hand over the
password in plaintext over it, or use public-key auth (OK, not certificates
but the SSH equivalent), there's no attempt at any EKE-like mechanism. It's
the same for many other protocols, it's either certificates or passwords, and
that's it.
Peter.
More information about the cryptography
mailing list