Daniel Harkins <dharkins@xxxxxxxxxxxxxxxxx> writes: > We may be talking past each other. But the reason that note is there > is because this is a "balanced" PAKE where both sides use an identical > representation of a credential. In this case, the credential is not > the password, it's the hashed password. So if an attacker gets a copy > of the hashed password it can impersonate the client to the server and > the server to the client. In other uses of hashed password databases > the client sends the password across the wire/air so if an attacker > somehow got ahold of the hashed password it would not be able to > impersonate the client to the server (because the server is asking for > the password not the hashed password). (My apologies for not replying sooner.) I suspect that I'm being caught up by the fact that I don't know the design space of authentication protocols very well. In any case, this point is certainly not a reason to hold up the draft. Dale