[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: protocol progress...
Without having validated the statement, I cite RFC 2831:
"Offline dictionary attacks are defeated if the client chooses a fresh
nonce for each authentication, as this specification requires."
Regarding your second point, and despite the fact that I am sympathetic to
it, I don't think that was a requirement in RFC 3157. But I could well be
wrong (don't have proper access to it right now).
On Mon, 22 Apr 2002, Tom Wu wrote:
> Magnus Nystrom wrote:
> > Phoenix Technologies' statement can be found at:
> > http://www.ietf.org/ietf/IPR/PHOENIX-SRP-RFC2945.txt
> > I think we will have to accept that the IPR situation is unclear at the
> > moment, and will continue to be so for some time. As long as we base our
> > security on a framework like SASL, however, it will always be possible to
> > revisit this issue later on without extensive re-architecturing.
> As Keith pointed out, it is up to the individual WG member to evaluate
> the validity of IPR claims. My own examination of the relevant patent
> and the circumstances surrounding it indicates that it does not have
> sufficient merit to prevent royalty-free implementation of RFC 2945.
> > Going back to Stephen's original posting therefore, one possible existing
> > SASL mechanism could be Digest-MD5, documented in RFC 2831. Digest-MD5
> > is not encumbered, offer security services such as integrity protection,
> > and does offer some advantages over other password-based mechanisms such
> > as CRAM-MD5.
> But it is still vulnerable to offline password-guessing. Has there been
> some recently-established consensus to loosen the security requirements
> to accommodate a weaker authentication mechanism?
> > -- Magnus
> > On Mon, 22 Apr 2002, Alexey Melnikov wrote:
> >>Eamon O'Tuathail wrote:
> >>>>Stanford's royalty-free IPR statement is on file with the IETF.
> >>>True, and that is much appreciated, but ...
> >>>.. has any company/organization other than Stanford make IPR claims
> >>>about SRP? If so, what are those claims, how valid are they, and are any
> >>>of those making the claims NOT prepared to offer royalty-free IPR on
> >>That is exactly the case. I am not in any shape or form an expert on IPR
> >>issues, but I've got impression that some organization (other than Stanford)
> >>has IPR claims for SRP. Can somebody clarify that?
> >>>If the technically excellent SRP were totally free from royalty-bearing
> >>>IPR claims, I would be happy to see it used, otherwise a different
> Tom Wu
> Principal Software Engineer
> Arcot Systems
> (408) 969-6124
> "The Borg? Sounds Swedish..."