RE: [TLS] Straw poll on TLS SRP status
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [TLS] Straw poll on TLS SRP status
"Kemp, David P." <DPKemp at missi.ncsc.mil> writes:
>[...]
>3) User authenticates with a) nothing, b) http basic auth, c) client
> cert, or d) SRP - it doesn't matter which
>4) Phishing server puts up a form that says: enter SSN, mother's
> maiden name, and password.
With SRP, the user can't connect until the server's already proven knowledge
of the username and password, so the phisher can never even get to step 4.
>If someone is phishing for information to enable identity theft, then user
>authentication has no preventive benefit whatsoever.
SRP isn't user authentication, it's mutual authentication of client and
server. So is TLS-PSK.
>The way to prevent phishing is to make server authentication work.
Exactly. That's what TLS-PSK and TLS-SRP do. Thankyou for supporting my
argument :-).
Peter.
_______________________________________________
TLS mailing list
TLS at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls
Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.
