Emile Cormier
Emile Cormier
Also, it's not clear from the spec whether the PING payload may be empty.
Thanks @KSDaemon and @oberstet ! Up until now, our TCP connections were through the loopback interface, so the problem of dropped TCP connections never came up.
SRP has fewer vulnerabilities than SCRAM. I had warned that I was going to propose an SRP spec after I did SCRAM. But someone decided to go ahead and implement...
> Exactly! Highly welcome .. following IETF mantra: rough consensus, working code;) And that's fine, as long as everyone keeps an open mind about SRP. :smile:
Perhaps this issue should be renamed to "PAKE Authentication"? I like the properties of SRP, but I'm not necessarily married to that particular flavor of PAKE authentication.
One thing that's nice about SRP is that both ends compute a shared secret that can be used to encrypt messages over an untrusted transport. I don't know if this...
PAKE Notes: * Augmented PAKE (as opposed to balanced PAKE) is preferable so the the server doesn't store password-equivalent data that can be stolen. * Property of PAKE is that...
@meejah Your use case seems fine for machine-to-machine communications, like, for example, industrial automation. But my motivation is for humans to log into a web service using any computer. Perhaps...
@oberstet Again, my motivation is to address the business requirement for our project to log in securely via a web browser, without involving any hardware devices. Because our web app...
Other Augmented PAKEs: * AMP: Spec'ed in IEEE 1363.2 and IEC 1177. [Paper](https://eprint.iacr.org/2000/026.pdf). Can't find any implementations. :-1: * [Augmented-EKE](https://en.wikipedia.org/wiki/Encrypted_key_exchange): Can't find any implementations. [Paper](https://www.cs.columbia.edu/~smb/papers/aeke.pdf). Covered by patent which expired...