Hi, On 071213 at 16:30, Michael Ströder wrote: > Steffen Schulz wrote: > > SRP is a great protocol also for authentication against your email > > provider or WLAN[1] access point. > > [..] > > That said, I agree that web-authentication is the major use case for > > TLS-SRP in NSS. > Hmm, without having looked at tls-srp but from my experience SSL/TLS > connections are quite often terminated at a reverse proxy. But the > password-based authentication information is passed to an application > server beyond that reverse proxy which checks the password by some means. > > I guess in case of tls-srp the reverse proxy (as TLS end point) would > have also to check the password. This is not what most of my customers > deploying reverse proxies want.
What is definitely needed for larger environments is the ability to do user authentication at the backend, not at the web server or whatever your SSL endpoint may be. SRP does not need its transmissions to be secured in any way, so there is no problem in relaying the data to somewhere else. And, it may be bad design or an otherwise flawed idea, but TLS-SRP in NSS includes a PKCS11 interface that does exactly this: Relaying all protocol data to a an entity that holds long-term secrets and does all authentication, returning only the common session key to SSL. (Lucky me, there is some use to the pkcs11-stuff after all.. ;-) ) /steffen -- Holzhacken ist deshalb so beliebt, weil man bei dieser Tätigkeit den Erfolg sofort sieht. -- Albert Einstein _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
