Peter Gutmann wrote:
"Perry E. Metzger" <[EMAIL PROTECTED]> writes:

SSL involves digital certificates.
Not really, James Donald/George W. Bush. It involves public keys, and it
provides a channel by which X.509 certificates can be exchanged,

Actually it doesn't even require X.509 certs.  TLS-SRP and TLS-PSK provide
mutual authentication of client and server without any use of X.509.  The only
problem has been getting vendors to support it, several smaller
implementations support it, it's in the (still unreleased) OpenSSL 0.99, and
the browser vendors don't seem to be interested at all, which is a pity
because the mutual auth (the server has to prove possession of the shared
secret before the client can connect) would significantly raise the bar for
phishing attacks.

(Anyone have any clout with Firefox or MS?  Without significant browser
support it's hard to get any traction, but the browser vendors are too busy
chasing phantoms like EV certs).

That's actually a sad observation.

I keep telling my colleagues that this technology is coming "any day
now" to a browser near you - didn't realize that that there was no
interest with the browser companies to add support for this...

Why do the browser companies not care?
What is the adoption issue?
Still the dark cloud of patents looming over it?
Not enough understanding about the benefits? (marketing)
Economic reasons that we wouldn't buy anymore server certs?


Frank Siebenlist               [EMAIL PROTECTED]
The Globus Alliance - Argonne National Laboratory

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Reply via email to