Hi Richard, I don't think that you can protect against server compromise with SPAKE2. The server can store w*N as you suggest, but it also has to store w*M because it must calculate y*(T-w*M). An attacker that learns w*M and w*N from a compromised server can then impersonate a client.
The rest of your comments I agree with (though they are not all addressed in the updated draft). Tony > From: Richard Barnes [mailto:r...@ipv.sx] > Sent: 13 April 2018 19:50 > > Hey Tony, > > Thanks for the comments. Hopefully we can adapt this document to tick more > boxes for you :) > Since I had noticed some other errors in the document (e.g., figures not > rendering properly), > I went ahead and submitted a new version that takes these comments into > account. > > https://tools.ietf.org/html/draft-barnes-tls-pake-01 > > Some responses inline below. Dyson Technology Limited, company number 01959090, Tetbury Hill, Malmesbury, SN16 0RP, UK. This message is intended solely for the addressee and may contain confidential information. If you have received this message in error, please immediately and permanently delete it, and do not use, copy or disclose the information contained in this message or in any attachment. Dyson may monitor email traffic data and content for security & training. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls