Dirk Meyer <[email protected]> writes: > Yes. That is some sort of problem. Another idea would be to use > something else inside 'security-info' to verify the certificates after > the TLS handshake if they are not known. This requires some sort of > channel bindings. The good idea to use the TLS Finished messages have > the same problem as SRP since it requires support in the TLS lib. A > different idea is to use the certificates in the channel binding > process: password = sha1(cert1 + cert2 + user password) > > It is possible to use SRP outside TLS for the channel bindings. As > already pointed out, my understanding is that SCRAM is not secure and > the client in the role of the TLS server can run a dictionary > attack. What we need it a channel binding SASL method based on SRP.
Time to restart this document, perhaps? http://www.melnikov.ca/mel/Drafts/draft-burdis-cat-srp-sasl-07.txt I would replace the security layer with a channel binding to TLS, though. /Simon
