* James A. Donald:

> The obvious solution to the phishing crisis is the widespread
> deployment of SRP, but this does not seem to happening.  SASL-SRP was
> recently dropped.  What is the problem?

There is no way to force an end user to enter a password only over
SRP.  That's why SRP is not effective against phishing (even the
mimicry variant).  In that regard, the password input field was a huge
mistake.  Fortunately, it doesn't matter because today, we must assume
that the client is thoroughly compromised, which means that entering
passwords over SRP isn't safe, either.

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to