On 3/6/09 6:04 AM, Dave Cridland wrote: > On Fri Mar 6 03:33:53 2009, Eric Rescorla wrote: > >> Obviously, you could do something SRP-oid at the app layer, but we really >> should decide if dictionary attack resistance is an important element. > > I don't think it is - we're not talking in terms of a long-term > shared-secret, we're talking about an ephemeral secret shared (say) over > the phone, used purely to verify a channel, and, by that, optionally the > peer's X.509 cert.
Correct. AFAIK we're making the following assumptions: 1. Everyone has X.509 certs. 2. Some/most X.509 certs are self-signed, not issued by trusted CAs. 3. For the first communication session, the parties need to verify each other's certs. 4. If the certs are self-signed, that could be done by checking the fingerprints via some other/trusted channel (PGP-encrypted email or whatever), but very few people will do that. We don't want folks to take the leap of faith, so we need an ephemeral password-based method. 5. That reduces to either SRP or some kind of SCRAM-ish channel binding. But, yes, we need to define the threat model. Dirk and I will work that into the next version of our proposal. Peter -- Peter Saint-Andre https://stpeter.im/
smime.p7s
Description: S/MIME Cryptographic Signature
