Hi,
RFC-5054 adds the ability to use SRP-6 secure username/password as the
authentication mechanism to TLS.
This gives client authentication using a secure username/password
scheme, and optionally server authentication either by the fact the
server is in possesion of the necessary information to authenticate the
client, or using traditional server certificates.
Using this type of authentication is good for protocols that require
client authentication and are already username/password based. Obvious
candidates are secure SMTP, IMAP, FTP, etc.
I believe web apps would also benefit greatly from this, except for the
fact that browser SSL implementations and UIs would have to be changed
to accept a username and password during the TLS handshake, which is
probably not going to happen.
I'd like to look into adding RFC-5054 support to JSSE if everyone agrees
it would be worth having. Has anyone else looked into it or have an
opinion?
Regards,
David Taylor.
- [security-dev 00150]: Adding RFC-5054 to OpenJDK JSSE David Taylor
-
