On Mon, Sep 12, 2011 at 5:48 PM, James A. Donald <[email protected]> wrote: > -- > On 2011-09-11 4:09 PM, Jon Callas wrote: >> The bottom line is that there are places that continuity >> works well -- phone calls are actually a good one. There >> are places it doesn't. The SSL problem that Lucky has >> talked about so well is a place where it doesn't. Amazon >> can't use continuity. It is both inconvenient and insecure. > > Most people who login to Amazon have a long existing relationship: Hence key > continuity and SRP would work well. I can't help but feel that Thomas Wu's SRP (or other PAKEs) would have helped the folks in Iran. A process which only requires two parties (Google and the individual) had three parties, one of whom failed spectacularly.
Not only do the additional parties add undue exposure (as used by hackers on this occasion), its also an additional party which can be strong armed by the US government with gestapo legislation such as the PATRIOT Act (for those who take offense, insert your favorite unkind government). Considering how frequently corporate america complies with law enforcement requests (*not* court orders), removing unneeded parties would certainly reduce or restrict privacy threats since the US government and corporate america have a chronic, progressive history of violations. > Those few people who login for the first time generally get there by typing > a search string into their browser. This is reliable because DNS and > routing are not the low hanging fruit. When and if we fix other problems, > and they become the low hanging fruit, then yurls will solve that problem. I look at it as a necessary evil - the relationship must be established somehow. Jeff _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
