Dirk Meyer wrote: > Eric Rescorla wrote: >> I don't have time to write a full note here, but I wanted to observe that >> the corresponding TLS mechanism to SCRAM is really TLS-PSK, >> which *is* in OpenSSL. SRP differs from SCRAM and PSK in that >> an attacker can't dictionary search the password offline, whereas >> in SCRAM/PSK he can. > > I would like to hear your thoughts on > http://xmpp.org/extensions/inbox/jingle-xtls.html#sect-id2254294 > > I agree with you, for me TLS-SRP looks like a better method than channel > bindings with SCRAM. Do you know of any post 2002 development of the SRP > patent issues?
Better in what sense? What exactly is the password? Are they ephemeral, so that you and I agree on it in some very temporary way (e.g., we're in the same chatroom and agree to use the current discussion topic or whatever)? What is the attack window? If it is small, we might not need to worry about dictionary searches. I'm still trying to understand the channel binding magic, but I agree with Dave that if we settle on SCRAM as the go-forward mandatory to implement SASL mechanism for the c2s case (as seems likely), then we'll already have support for it in the clients so re-using it for the e2e case would be somewhat straightforward. /psa
smime.p7s
Description: S/MIME Cryptographic Signature
