On Tue, Aug 19, 2008 at 12:06 PM, Jonathan Dickinson <[EMAIL PROTECTED]> wrote: > Very good point Justin. Even if we implement SRP chances are that you could > get a few lazy developers that don't quit on the documented failure points. > Something simple to implement (I am going to read up on OTR now :)) may be a > good solution.
Well, this is always a possibility, but PAKE-style systems are actually more robust here, sicne you get mismatched keys if the passwords are not equal. The major way to get hosed is to accept a bogus DH group. -Ekr
