[Security] About the Firefox 3 Security Dialog & others

Hannes Tschofenig Hannes.Tschofenig at gmx.net
Sat Aug 23 12:14:30 CDT 2008


Should someone mention the IPR issues with SRP that prevented widespread 
usage?



Eric Rescorla wrote:
> On Sat, Aug 23, 2008 at 5:46 AM, Pedro Melo <melo at simplicidade.org> wrote:
>   
>> Hi,
>>
>> On Aug 23, 2008, at 1:18 PM, Jonathan Schleifer wrote:
>>
>>     
>>> Am 23.08.2008 um 11:04 schrieb Dirk Meyer:
>>>
>>>       
>>>> SAS does not work for me when I use bots. It also reduces it to one
>>>> way removing the option of X.509 certificates which is something I
>>>> need.
>>>>         
>>> I never said SAS should be the only way, we need multiple ways. I suggest
>>> those:
>>>
>>> * SAS with mnemonics
>>> * Fingerprint verification
>>> * CA, but no CA added in the client by default (so the user has to trust
>>> the CA manually, for example useful in a company so you don't have to verify
>>> every co-worker)
>>>       
>> Exactly. For bots, I personally would create my own CA and tell those pesky
>> little devils just to trust certificates signed by that.
>>
>> Profit!.
>>
>>
>>     
>>>>> Having a 32-bit SAS encoded with Mnemonics (like already suggested
>>>>> here) really sounds like a great idea.
>>>>>           
>>>> Why not encode a key fingerprint with Mnemonics? Looks like the same
>>>> to the user.
>>>>         
>>> Only taking 32 bit of the fingerprint and using Mnemonics is insecure as
>>> this is easy to forge - we already discussed it here.
>>>
>>> BTW: It was argued a lot that ESessions misses a cryptanalysis, but if we
>>> are going to do extensions to TLS, we might need a cryptanalysis for this
>>> stuff too. TLS is useless if we add a verification method that is insecure.
>>>       
>> Well, SAS and SRP are IETF (draft?) extensions. SRP has more than 10 years
>> of field tests and debate (up to current SRP-6, I believe).
>>     
>
> SRP isn't a draft. It's an RFC.
>
> I agree we would need to do an SAS extension to TLS if we wanted SAS
> and yes, that would need analysis. However, it's a relatively small
> piece of work compared to a whole new protocol.
>
> -Ekr
>   



More information about the Security mailing list