From:                   Charlie Kaufman
> From a legal perspective, they would
> probably have a better chance with SRP, since Stanford
> holds a patent and might be motivated to support the
> challenge.

The vast majority of phishing attacks and other forms of man in the 
middle attack seek to steal existing shared secrets - passwords, 
social security numbers, credit card numbers.

I figured that the obvious solution to all this was to deploy zero 
knowledge technologies, where both parties prove knowledge of the 
shared secret without revealing the shared secret.

Now I see that zero knowledge technologies have been deployed - or 
almost so:

SRP-TLS-OpenSSL   http://www.edelweb.fr/EdelKey/  (not quite ready 
for prime time)

And SRP GNU-TLS http://www.gnu.org/software/gnutls/manual/html_node/

Of course, actual use of these technologies means that the browser 
chrome, not the web page, must set up and verify the password.

         James A. Donald

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to