On Feb 26, 2016 11:26 AM, "Dan Harkins" <[email protected]> wrote: > > > On Thu, February 25, 2016 11:41 pm, Watson Ladd wrote: > > On Thu, Feb 25, 2016 at 11:33 PM, Dan Harkins <[email protected]> wrote: > >> > >> Hi, > >> > >> On Wed, February 24, 2016 1:59 pm, Rick van Rein wrote: > >>> Hi, > >>> > >>>> Although the lack of modern cipher-suites for SRP makes it not very > >>>> attractive these days. > >>>> > >>> Does anyone know if work on something like "ECSRP" is going on, > >>> anywhere? > >>> > >>> We've recently worked on getting it working with PKCS #11, > >>> > >>> https://github.com/arpa2/srp-pkcs11 > >>> https://github.com/arpa2/srp-pkcs11/blob/rfc5054_compat/doc/design/srp-pkcs11.pdf > >>> > >>> It could be interesting to see if this translates to the Elliptic Curve > >>> arena. > >>> > >>> I heard rumours of alternatives being weighed against one another, but > >>> failed to find anything concrete. Links are quite welcome! > >> > >> Well there's TLS-PWD. Works just fine with ECC. Also provides > >> for protection of the client username from passive attack. > >> > >> https://tools.ietf.org/html/draft-ietf-tls-pwd-07 > > > > As well as my SPAKE2 draft, which can fit in TLS easily. The real > > problem here is that there is no reason not to use certificates in a > > lot of cases. > > Well if you're using a browser I'd agree with you. But when TLS > is used to protect non-browser traffic there are plenty of cases > where you won't have an implicit trust anchor database or you're > going to some server administered by someone who most likely only > has a self-signed cert (Let's Encrypt makes it easy to get a cert > for a web server but, again, that's kind of browser-centric). > > I address the case for certificate-less authentication in section > 1.1 of the TLS-PWD I-D.
The right solution is to make certificates easy. SSH solved this years ago. (Yes, I'm aware devices don't necessarily have a "trust anchor". Passwords assume enough input capacity to solve this probem.) > > regards, > > Dan. > > >> > >> Thanks for reminding me to update that draft :-) > >> > >> Dan. > >> > >>> -Rick > >>> > >>> _______________________________________________ > >>> TLS mailing list > >>> [email protected] > >>> https://www.ietf.org/mailman/listinfo/tls > >>> > >> > >> > >> _______________________________________________ > >> TLS mailing list > >> [email protected] > >> https://www.ietf.org/mailman/listinfo/tls > > > > > > > > -- > > "Man is born free, but everywhere he is in chains". > > --Rousseau. > > > >
_______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
