Augmented PAKE avoids the raw credentials problem. But PAKE doesn’t solve all problems. Without PKI it’s a duckling model at best, and you don’t log into every website every time with a password.
— Mike > On Jan 23, 2015, at 2:49 PM, Justin King-Lacroix > <[email protected]> wrote: > > I think "is" and "should be" have been conflated. (Unfortunately -- PKI needs > to die, I agree.) > > Is PAKE really the way to go, though? Having servers store raw (as opposed to > salt-hashed) credentials feels like a mistake. > > J > > On 23 January 2015 at 09:57, U.Mutlu <[email protected] > <mailto:[email protected]>> wrote: > SSL certificate stuff (ie. PKI) is IMO dead. NSA killed it. > Back to the roots: hashed pw over MITM-safe sessions (SRP, SPEKE etc, ie. > PAKE). > > cu > Uenal > > _______________________________________________ > Messaging mailing list > [email protected] <mailto:[email protected]> > https://moderncrypto.org/mailman/listinfo/messaging > <https://moderncrypto.org/mailman/listinfo/messaging> > > _______________________________________________ > Messaging mailing list > [email protected] > https://moderncrypto.org/mailman/listinfo/messaging
_______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
