"James A. Donald" <jam...@echeque.com> writes:

>[Incredibly complicated description of web scripting plumbing deleted]

We seem to be talking about competely different things here.  For a typical
application, say online banking, I connect to my bank at www.bank.com or
whatever, the browser requests my credential information, and the TLS-SRP or
TLS-PSK channel is established. That's all.  There's no web application
framework and PHP and scripting and other stuff at all, in fact I can't even
see how you'd inject this into the process.

>Further, if we do the SRP dance every single page, it is a huge performance
>hit, with many additional round trips. One loses about 20 percent of one's
>market share for each additional round trip.

You only do it once when the TLS session is set up, it's exactly as for
standard TLS except that instead of PKI-based non-authentication you use
cryptographic mutual authentication.  How do you get an SRP exchange for every
web page?


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Reply via email to