> On 17 Jul 2015, at 1:38 am, Schmidt, Jörn-Marc > <joern-marc.schm...@secunet.com> wrote: > >>> - Change the negotiation so that user name is not exchanged in the clear >>> - Change key exchange to do PFS > >> TLS-pwd already supports both of these. It also supports ECC too, >> which is problematic with the current SRP protocol.
In the language of the CFRG draft, TLS-pwd is “balanced” where SRP is “augmented”, so they’re not really equivalent, correct? > I agree: Instead of modifying SRP I would prefer introducing a new PAKE > scheme. > On CFRG I recently submitted a draft on requirements for such schemes > (https://www.ietf.org/mail-archive/web/cfrg/current/msg07005.html). > > Or to be even more flexible - how about defining a generic way to include > PAKE in TLS to prevent a whole bunch of ExtensionTypes and CipherSuites by > merging them into one "PAKE_Auth”? This is possible, but you’d need to have the client and server negotiate based on what they have. For example, if the server has a SRP verifier from the current protocol, but the client has a stored PBKDF2 hash of the password for that server, they cannot communicate and would need to pick a different cipher suite. I am not sure how you can do this without revealing the existence of an account under some circumstances. So this might be a situation where fewer protocol options is better. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
