On Fri, Aug 22, 2008 at 1:53 PM, Jonathan Schleifer <[EMAIL PROTECTED]> wrote: > Am 22.08.2008 um 22:35 schrieb Dirk Meyer: > >> Advantages SRP: >> users can select a password they can remember >> users could use the same link to exchange the password if they talk >> in a riddle an attacker may not know (name of the person I talked >> to you about yesterday that wants to buy a new TV) > > Woudln't that mean an attacker could chose the question and chose one to > which he knows the answer because it's not so secret? If an attacker does > that with both ends, he has won, because he selected the question. Correct > me if I'm wrong. I'm more for SAS anyway :). Most users will chose to easy > questions.
I don't know what you're suggesting here. The protocol simply takes a password as an input. You need to establish the context for it out of band in a secure way, just as you need a secure channel for the SAS. -Ekr
