On Thu, Oct 18, 2012 at 9:36 PM, Nico Williams <[email protected]> wrote: > On Thu, Oct 18, 2012 at 7:52 PM, Jeffrey Walton <[email protected]> wrote: >> [SNIP] >> I'm not really convinced that using an email address in the plaintext >> for the SRP protocol is finding-worthy, considering email addresses >> are public information. And I'm very skeptical that its a critical >> finding. > > It... depends. If you need privacy protection for the client ID then > you need it, no? I can't tell you if you do. You must decide this. > For most applications I think privacy protection for the client ID is > not really necessary. Its probably worth mentioning.... The organization is from the UK, and the penetration testing firm is from the UK. I'm US based, and it could be the case that I am ignorant to UK data security requirements. I attempted to get a copy of the standard used (with no joy).
Jeff _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
