--
From:                   Charlie Kaufman
> From a legal perspective, they would
> probably have a better chance with SRP, since Stanford
> holds a patent and might be motivated to support the
> challenge.

The vast majority of phishing attacks and other forms of man in the 
middle attack seek to steal existing shared secrets - passwords, 
social security numbers, credit card numbers.

I figured that the obvious solution to all this was to deploy zero 
knowledge technologies, where both parties prove knowledge of the 
shared secret without revealing the shared secret.

Now I see that zero knowledge technologies have been deployed - or 
almost so:

SRP-TLS-OpenSSL   http://www.edelweb.fr/EdelKey/  (not quite ready 
for prime time)

And SRP GNU-TLS http://www.gnu.org/software/gnutls/manual/html_node/

Of course, actual use of these technologies means that the browser 
chrome, not the web page, must set up and verify the password.

    --digsig
         James A. Donald
     6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
     FtM0KMPHrqFLxpaSShaR05Rlxb8CnxF4pHnz9Yqy
     4RHOMGs4NJv8heDXAxtfYQ4sYI82tcElZ5wJ4qgvc



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to