[18904] in cryptography@c2.net mail archive
RE: How broad is the SPEKE patent.
daemon@ATHENA.MIT.EDU (James A. Donald)
Thu Nov 10 16:53:31 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
From: "James A. Donald" <jamesd@echeque.com>
To: "cypherpunks@jfet.org" <cypherpunks@jfet.org>,
"cryptography@metzdowd.com" <cryptography@metzdowd.com>
Date: Thu, 10 Nov 2005 13:28:46 -0800
In-reply-to: <F0B4EE8E56F9DD4B80419C6D82521397624AEC@df-foxhound-msg.exchange.corp.microsoft.com>
--
From: Charlie Kaufman
> From a legal perspective, they would
> probably have a better chance with SRP, since Stanford
> holds a patent and might be motivated to support the
> challenge.
The vast majority of phishing attacks and other forms of man in the
middle attack seek to steal existing shared secrets - passwords,
social security numbers, credit card numbers.
I figured that the obvious solution to all this was to deploy zero
knowledge technologies, where both parties prove knowledge of the
shared secret without revealing the shared secret.
Now I see that zero knowledge technologies have been deployed - or
almost so:
SRP-TLS-OpenSSL http://www.edelweb.fr/EdelKey/ (not quite ready
for prime time)
And SRP GNU-TLS http://www.gnu.org/software/gnutls/manual/html_node/
Of course, actual use of these technologies means that the browser
chrome, not the web page, must set up and verify the password.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
FtM0KMPHrqFLxpaSShaR05Rlxb8CnxF4pHnz9Yqy
4RHOMGs4NJv8heDXAxtfYQ4sYI82tcElZ5wJ4qgvc
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
