Hi David,
Thanks for your proposal on support RFC-5054 on JSSE. However, the SRP
is patented, the potential IP issues will prevent us from adding the
module into JSSE. And, the RFC-5054 is only a informational RFC and in
practice it is lack of deployment of SRP/TLS, my team think it is a low
priority based on other enhancements we'd like to see in security.
Thanks & Regards,
Andrew
David Taylor wrote:
Hi,
RFC-5054 adds the ability to use SRP-6 secure username/password as the
authentication mechanism to TLS.
This gives client authentication using a secure username/password
scheme, and optionally server authentication either by the fact the
server is in possesion of the necessary information to authenticate
the client, or using traditional server certificates.
Using this type of authentication is good for protocols that require
client authentication and are already username/password based. Obvious
candidates are secure SMTP, IMAP, FTP, etc.
I believe web apps would also benefit greatly from this, except for
the fact that browser SSL implementations and UIs would have to be
changed to accept a username and password during the TLS handshake,
which is probably not going to happen.
I'd like to look into adding RFC-5054 support to JSSE if everyone
agrees it would be worth having. Has anyone else looked into it or
have an opinion?
Regards,
David Taylor.
