On Wed, 31 May 2006, James A. Donald wrote: > The obvious solution to the phishing crisis is the widespread deployment > of SRP, but this does not seem to happening. SASL-SRP was recently > dropped. What is the problem?
"Phishing" can mean a few different things. If by "phishing" you mean the stealing of passwords, then yes, SRP would help to eliminate that problem, but users could still be fooled into giving away their SRP passwords if the user interface for entering the password is convincingly imitated. Some people use "phishing" to refer to the online capture of identity-related information in general, in which case SRP falls far short of a complete solution. I think it's a difference in philosophy: some see passwords as the ultimate goal; some see passwords as one of many possible means to the ultimate end, which is identity theft. I'm working on Passpet, a password management tool that tries to address several of the big phishing-related problems including password capture and dictionary attack, and for the authentication part i chose SRP. So that's one place it's getting used, anyway. -- ?!ng --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
