[144740] in cryptography@c2.net mail archive
Re: Client Certificate UI for Chrome?
daemon@ATHENA.MIT.EDU (Peter Gutmann)
Sun Aug 16 21:24:14 2009
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: jamesd@echeque.com
Cc: cryptography@metzdowd.com
In-Reply-To: <4A822468.6000401@echeque.com>
Date: Mon, 17 Aug 2009 12:57:54 +1200
"James A. Donald" <jamesd@echeque.com> writes:
>[Incredibly complicated description of web scripting plumbing deleted]
We seem to be talking about competely different things here. For a typical
application, say online banking, I connect to my bank at www.bank.com or
whatever, the browser requests my credential information, and the TLS-SRP or
TLS-PSK channel is established. That's all. There's no web application
framework and PHP and scripting and other stuff at all, in fact I can't even
see how you'd inject this into the process.
>Further, if we do the SRP dance every single page, it is a huge performance
>hit, with many additional round trips. One loses about 20 percent of one's
>market share for each additional round trip.
You only do it once when the TLS session is set up, it's exactly as for
standard TLS except that instead of PKI-based non-authentication you use
cryptographic mutual authentication. How do you get an SRP exchange for every
web page?
Peter.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
