[Cryptography] On the deployment of client-side certs

Tony Arcieri bascule at gmail.com
Tue Nov 15 16:18:18 EST 2016

On Tue, Nov 15, 2016 at 2:08 AM, Jerry Leichter <leichter at lrw.com> wrote:

> Given the hardware necessary to do that, wouldn't it be easier, more
> efficient, and less likely to leak identity information to use it to
> implement a password-authenticated key agreement protocol like SRP?

Note there are many other modern PAKE algorithms based on ECC which are
much easier to implement in constant time than SRP, as the latter generally
relies on bignums. SPAKE2(+) and SPAKE2-EE come to mind.

That said, I think there are few use cases where PAKE actually makes sense,
particularly for UX reasons. I do not think it makes sense to use PAKE in a
browser context. The only way I think it could work securely is with
something like the reviled Basic Auth modal dialog, which to me is a UX
antipattern which has largely been phased out of the modern web.

Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20161115/765a7f1b/attachment.html>

More information about the cryptography mailing list