At Wed, 12 Sep 2007 00:51:33 -0700,
Christian Huitema wrote:
There are a large number of protocol designs--even existing
protocols--which are compatible with the general paradigm of "user U
proves possession of password P to server A without giving A a
credential which can be used to impersonate U to server B".
HTTP Digest, TLS-PSK, SRP, and PwdHash all come to mind. The
difficult parts are:
(1) putting a sensible UI on it--including one that isn't easily
spoofed (see the extensive literature on how hard it is
to build a secure UI.
(2) Getting everyone to agree on one protocol.
Please add:
(3) The chosen solution is immune to dictionary attacks.
Well, I'm not convinced that this is in fact a requirement (I note
it's not in Sam's document, not that I take that as gospel). That
said, if you want this property, then it severely narrows the
scope of possible solutions, more or less down to either ZKPP/PAKE
protocols and to public key-based authentication using random
(as opposed to password generated) keys.
-Ekr
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf