At 04:58 PM 6/12/00 -0500, Rick Smith wrote:
> ... They [Verisign] haven't figured out how to embed it in a
> product yet. Without more information it's impossible for me to tell if
> they've actually constructed something useful.
I'd be surprised if they didn't have some kind of product figured out.
They did pre-announce a customer. Of course we do need more information
than www.verisign.com/rsc/wp/roaming, and I hope this is forthcoming after
the paper is presented.
> There was some vagueness about the "verifier of K" value that made me
> suspect they've left some conceptual holes unfilled. So we'll have to wait
> for a real technical description before we can tell if this is a real
> problem solution or an interesting but academic protocol design exercise.
I like mysteries. The "verifier for K" seems to be a public key corresponding
to a private key derived from K. Maybe it uses DSA, DH, or with some work,
even RSA. But I found their description of key-share distribution to be truly
opaque.
I can see that their beige paper might describe a range of solutions.
My main questions are: How far do they go? ... could they go? ... and with
what limitations? Here's a statement from the paper that suggests that
they really found a true zero-knowledge protocol:
"The various [key shares] K_i are combined in the client to produce
strong secret K. The messages exchanged in this phase have been
designed such that they reveal no information about the password
or any [server secrets] B_i."
I'll admit to having spent some effort in this field, and I'll post some results
later, but I'd still like to hear other people's thoughts or speculations about
eliminating crackable password files. Zero-knowledge solutions are naturally
the most interesting to me, but I'd also like to know what people think of other
alternatives. Arcot roaming comes to mind as another partial mystery.
-- David
---------------------------------------------------
David P. Jablon
Integrity Sciences, Inc.
[EMAIL PROTECTED]
www.IntegritySciences.com
