> I don't know the details of J-Pake etc., This is a type of protocols that allows *mutual* authentication using simple passwords or other shared secrets without leaking any information about the passwords (so dictionary attacks on the captured traffic etc does not work). As a result of the authentification both parties gets a strong shared cryptographic key that they can use for symmetric encryption.
> but if it could verify a fingerprint to a domain the user has chosen to communicate with (even better without a CA - self signed) SRP/ J-PAKE assumes that the user somehow already posses a shared secret. They cannot be used for password generation. This is not a problem for banks as they typically send the initial password and/or hardware token by post. For ordinary websites this is typically not an option. So even if those protocols are used for encryption as a SSL replacement, some initial establishment of trust must be done by other means. This where is where using SRP/J-PAKE for certificate verification would be very useful on the current web as this implies that the user is vulnerable only during the initial registration. After that she can always be assured that the site where she enters the password indeed knows it. On 1 October 2013 13:54, Kevin Chadwick <ma1l1i...@yahoo.co.uk> wrote: >> I agree that deploying token-based security mechanisms may take time in many >> countries; so interim security mechanisms are desirable. > > True but SSL should be secure too. Not just SSL from banks. > > I don't know the details of J-Pake etc., but if it could verify a > fingerprint to a domain the user has chosen to communicate with (even > better without a CA - self signed) then that may be a real step forward > as DNSSEC isn't even close to being as secure or as reliable as it > should or would need to be. > > > -- > _______________________________________________________________________ > > 'Write programs that do one thing and do it well. Write programs to work > together. Write programs to handle text streams, because that is a > universal interface' > > (Doug McIlroy) > _______________________________________________________________________ > _______________________________________________ > dev-security mailing list > dev-security@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security