Peter Saint-Andre wrote: > On 3/6/09 6:04 AM, Dave Cridland wrote: >> On Fri Mar 6 03:33:53 2009, Eric Rescorla wrote: >> >>> Obviously, you could do something SRP-oid at the app layer, but we really >>> should decide if dictionary attack resistance is an important element. >> >> I don't think it is - we're not talking in terms of a long-term >> shared-secret, we're talking about an ephemeral secret shared (say) over >> the phone, used purely to verify a channel, and, by that, optionally the >> peer's X.509 cert. > > Correct. AFAIK we're making the following assumptions: > > 1. Everyone has X.509 certs. > > 2. Some/most X.509 certs are self-signed, not issued by trusted CAs.
Correct > 3. For the first communication session, the parties need to verify each > other's certs. They have to do it for every communication setup, but the first one is the problem if the certificates have no real certificate chain of signatures. > 4. If the certs are self-signed, that could be done by checking the > fingerprints via some other/trusted channel (PGP-encrypted email or > whatever), but very few people will do that. We don't want folks to take > the leap of faith, so we need an ephemeral password-based method. Yes. Comparing fingerprints sucks. A simple password is ok. Compare this to Bluetooth. > But, yes, we need to define the threat model. Dirk and I will work that > into the next version of our proposal. I have something written down in my thesis. Peter and I will figure out what we need to add to the draft. Dirk -- Hey! It compiles! Ship it!
