Daniel Harkins <dharkins(_at_)arubanetworks(_dot_)com> writes:
We may be talking past each other. But the reason that note is there
is because this is a "balanced" PAKE where both sides use an identical
representation of a credential. In this case, the credential is not
the password, it's the hashed password. So if an attacker gets a copy
of the hashed password it can impersonate the client to the server and
the server to the client. In other uses of hashed password databases
the client sends the password across the wire/air so if an attacker
somehow got ahold of the hashed password it would not be able to
impersonate the client to the server (because the server is asking for
the password not the hashed password).
(My apologies for not replying sooner.)
I suspect that I'm being caught up by the fact that I don't know the
design space of authentication protocols very well. In any case, this
point is certainly not a reason to hold up the draft.
Dale