[cryptography] Secure Remote Password (SRP) and Plaintext Emil Address

Jeffrey Walton noloader at gmail.com
Thu Oct 18 23:21:59 EDT 2012


On Thu, Oct 18, 2012 at 9:36 PM, Nico Williams <nico at cryptonector.com> wrote:
> On Thu, Oct 18, 2012 at 7:52 PM, Jeffrey Walton <noloader at gmail.com> wrote:
>> [SNIP]
>> I'm not really convinced that using an email address in the plaintext
>> for the SRP protocol is finding-worthy, considering email addresses
>> are public information. And I'm very skeptical that its a critical
>> finding.
>
> It... depends.  If you need privacy protection for the client ID then
> you need it, no?  I can't tell you if you do.  You must decide this.
> For most applications I think privacy protection for the client ID is
> not really necessary.
Its probably worth mentioning.... The organization is from the UK, and
the penetration testing firm is from the UK. I'm US based, and it
could be the case that I am ignorant to UK data security requirements.
I attempted to get a copy of the standard used (with no joy).

Jeff



More information about the cryptography mailing list