[27000] in cryptography@c2.net mail archive
Re: Status of SRP
daemon@ATHENA.MIT.EDU (James A. Donald)
Thu Jun 1 10:13:15 2006
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Thu, 01 Jun 2006 16:01:57 +1000
From: "James A. Donald" <jamesd@echeque.com>
To: Florian Weimer <fw@deneb.enyo.de>
Cc: cryptography@metzdowd.com
In-Reply-To: <87mzcy7o90.fsf@mid.deneb.enyo.de>
--
Florian Weimer wrote:
> There is no way to force an end user to enter a
> password only over SRP.
Phishing relies on the login page looking familiar. If
SRP is in the browser chrome, and looks strikingly
different from any web page, the login page will not
look familiar.
> Fortunately, it doesn't matter because today, we must
> assume that the client is thoroughly compromised,
> which means that entering passwords over SRP isn't
> safe, either.
That is an all purpose argument that is deployed
selectively against some measures and not others.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
FngUFki/IKrJQzXmzcNmvTTH5ZAwHCQkTSIXkWVI
4wPX3iZ25iE0SC3Pk6sdr5enUTiKLhPd829ew/9kX
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
