[cryptography] Let's go back to the beginning on this

Jeffrey Walton noloader at gmail.com
Tue Sep 13 09:57:51 EDT 2011


On Mon, Sep 12, 2011 at 5:48 PM, James A. Donald <jamesd at echeque.com> wrote:
>    --
> On 2011-09-11 4:09 PM, Jon Callas wrote:
>> The bottom line is that there are places that continuity
>> works well -- phone calls are actually a good one. There
>> are places it doesn't. The SSL problem that Lucky has
>> talked about so well is a place where it doesn't. Amazon
>> can't use continuity. It is both inconvenient and insecure.
>
> Most people who login to Amazon have a long existing relationship: Hence key
> continuity and SRP would work well.
I can't help but feel that Thomas Wu's SRP (or other PAKEs) would have
helped the folks in Iran. A process which only requires two parties
(Google and the individual) had three parties, one of whom failed
spectacularly.

Not only do the additional parties add undue exposure (as used by
hackers on this occasion), its also an additional party which can be
strong armed by the US government with gestapo legislation such as the
PATRIOT Act (for those who take offense, insert your favorite unkind
government). Considering how frequently corporate america complies
with law enforcement requests (*not* court orders), removing unneeded
parties would certainly reduce or restrict privacy threats since the
US government and corporate america have a chronic, progressive
history of violations.

> Those few people who login for the first time generally get there by typing
> a search string into their browser.  This is reliable because DNS and
> routing are not the low hanging fruit.  When and if we fix other problems,
> and they become the low hanging fruit, then yurls will solve that problem.
I look at it as a necessary evil - the relationship must be established somehow.

Jeff



More information about the cryptography mailing list