[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: New work for sacred working group?
pgut001@xxxxxxxxxxxxxxxxx (Peter Gutmann) writes:
> Stephen Farrell <stephen.farrell@xxxxxxxxx> writes:
>
>>Does the lack of response mean that there's no longer much interest in using
>>schemes like SPEKE for credential download or that no-one's reading this list
>>anymore?
>
> I'm reading it, but purely in passive mode. In theory I'd be strongly opposed
> to the use of any crippled/patented technology in Sacred (particularly when
> there are unencumbered alternatives available), but since I'm not an
> implementor it's really just a personal opinion.
Which unencumbered alternatives are you thinking of?
It appears to me as if the security community in IETF can't offer a
good password based security protocol.
Anything beyond TLS+PLAIN seem to me be either surrounded with IPR
concerns (SPEKE, SRP); or incredible poorly designed and implemented
(DIGEST-MD5); or deprecated (CRAM-MD5); or too complex to allow a
reasonable implementations (X.509, CMS); or too experimental (TLS
PSK); or burdened by history (Kerberos), to be applicable.
Of course, this is merely another personal opinion as I don't have a
SACRED implementation either. (I'd like to write one though... :))
Cheers,
Simon