At Mon, 04 Feb 2008 14:29:50 +1000,
James A. Donald wrote:
> James A. Donald wrote:
>  >> I have figured out a solution, which I may post here
>  >> if you are interested.
> Ian G wrote:
>  > I'm interested.  FTR, zooko and I worked on part of
>  > the problem, documented briefly here:
>  >
> I have posted "How to do VPNs right" at
> It covers somewhat different ground to that which your
> page covers, focusing primarily on the problem of
> establishing the connection.
>       "humans are not going to carry around large
>       strong secrets every time either end of the
>       connection restarts.  In fact they are not going
>       to transport large strong secrets any time ever,
>       which is the flaw in SSL and its successors such
>       as IPSec and DTLS

This paragraph sure is confused.

1. IPsec most certainly is not a successor to SSL. On
   the contrary, IPsec predates SSL.

2. TLS doesn't require you to carry around strong secrets.
   I refer you to TLS-SRP [RFC 5054]

3. For that matter, even if you ignore SRP, TLS supports
   usage models which never require you to carry around
   strong secrets: you preconfigure the server's public
   key and send a password over the TLS channel. Since
   this is the interface SSH uses, the claim that humans
   won't do it is manifestly untrue.


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to