[145877] in cryptography@c2.net mail archive
Re: Hashing algorithm needed
daemon@ATHENA.MIT.EDU (Ben Laurie)
Wed Sep 15 08:34:01 2010
Date: Wed, 15 Sep 2010 11:10:16 +0100
From: Ben Laurie <ben@links.org>
To: Nicolas Williams <Nicolas.Williams@oracle.com>
CC: Marsh Ray <marsh@extendedsubset.com>, Ian G <iang@systemics.com>,
cryptography@metzdowd.com
In-Reply-To: <20100914232654.GD3982@oracle.com>
On 15/09/2010 00:26, Nicolas Williams wrote:
> On Tue, Sep 14, 2010 at 03:16:18PM -0500, Marsh Ray wrote:
>> How do you deliver Javascript to the browser securely in the first
>> place? HTTP?
>
> I'll note that Ben's proposal is in the same category as mine (which
> was, to remind you, implement SCRAM in JavaScript and use that, with
> channel binding using tls-server-end-point CB type).
>
> It's in the same category because it has the same flaw, which I'd
> pointed out earlier: if the JS is delivered by "normal" means (i.e., by
> the server), then the script can't be used to authenticate the server.
That's one of the reasons I said it was only good for experimenation.
--
http://www.apache-ssl.org/ben.html http://www.links.org/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
