How broad is the SPEKE patent.
James A. Donald
jamesd at echeque.com
Thu Nov 10 13:28:46 PST 2005
--
From: Charlie Kaufman
> From a legal perspective, they would
> probably have a better chance with SRP, since Stanford
> holds a patent and might be motivated to support the
> challenge.
The vast majority of phishing attacks and other forms of man in the
middle attack seek to steal existing shared secrets - passwords,
social security numbers, credit card numbers.
I figured that the obvious solution to all this was to deploy zero
knowledge technologies, where both parties prove knowledge of the
shared secret without revealing the shared secret.
Now I see that zero knowledge technologies have been deployed - or
almost so:
SRP-TLS-OpenSSL http://www.edelweb.fr/EdelKey/ (not quite ready
for prime time)
And SRP GNU-TLS http://www.gnu.org/software/gnutls/manual/html_node/
Of course, actual use of these technologies means that the browser
chrome, not the web page, must set up and verify the password.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
FtM0KMPHrqFLxpaSShaR05Rlxb8CnxF4pHnz9Yqy
4RHOMGs4NJv8heDXAxtfYQ4sYI82tcElZ5wJ4qgvc
More information about the cypherpunks-legacy
mailing list