At Wed, 12 Sep 2007 00:51:33 -0700, Christian Huitema wrote: > > > There are a large number of protocol designs--even existing > > protocols--which are compatible with the general paradigm of "user U > > proves possession of password P to server A without giving A a > > credential which can be used to impersonate U to server B". > > HTTP Digest, TLS-PSK, SRP, and PwdHash all come to mind. The > > difficult parts are: > > > > (1) putting a sensible UI on it--including one that isn't easily > > spoofed (see the extensive literature on how hard it is > > to build a secure UI. > > (2) Getting everyone to agree on one protocol. > > Please add: > > (3) The chosen solution is immune to dictionary attacks. Well, I'm not convinced that this is in fact a requirement (I note it's not in Sam's document, not that I take that as gospel). That said, if you want this property, then it severely narrows the scope of possible solutions, more or less down to either ZKPP/PAKE protocols and to public key-based authentication using random (as opposed to password generated) keys. -Ekr _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf