[messaging] PKI is dead
Michael Hamburg
mike at shiftleft.org
Fri Jan 23 14:51:10 PST 2015
Augmented PAKE avoids the raw credentials problem. But PAKE doesn’t solve all problems. Without PKI it’s a duckling model at best, and you don’t log into every website every time with a password.
— Mike
> On Jan 23, 2015, at 2:49 PM, Justin King-Lacroix <justin.king-lacroix at cs.ox.ac.uk> wrote:
>
> I think "is" and "should be" have been conflated. (Unfortunately -- PKI needs to die, I agree.)
>
> Is PAKE really the way to go, though? Having servers store raw (as opposed to salt-hashed) credentials feels like a mistake.
>
> J
>
> On 23 January 2015 at 09:57, U.Mutlu <for-gmane at mutluit.com <mailto:for-gmane at mutluit.com>> wrote:
> SSL certificate stuff (ie. PKI) is IMO dead. NSA killed it.
> Back to the roots: hashed pw over MITM-safe sessions (SRP, SPEKE etc, ie. PAKE).
>
> cu
> Uenal
>
> _______________________________________________
> Messaging mailing list
> Messaging at moderncrypto.org <mailto:Messaging at moderncrypto.org>
> https://moderncrypto.org/mailman/listinfo/messaging <https://moderncrypto.org/mailman/listinfo/messaging>
>
> _______________________________________________
> Messaging mailing list
> Messaging at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/messaging
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20150123/a994f7ce/attachment.html>
More information about the Messaging
mailing list