"Jean-Marc Desperrier" wrote: > The reference I gave before shows that there is now a widely accepted > opinion that SRP does not infringe on patent more than J-PAKE (even if > there was indeed that doubt a few years ago). > > A patent that covers SRP might be found, but it does not appear today to > be more likely than it is for J-PAKE.
It is hard for most of the people on the mailing list to participate in a meaningful discussion of patents for a variety of reasons, so I'm just going to focus on the technical reasons for implementing J-PAKE instead of SRP. > > Balanced vs augmented does not matter for Sync's usage because the > > user is at both end points. > > If you don't need augmented security, J-PAKE makes more sense. Actually, what I wrote above isn't correct. A balanced scheme is actually better for Sync because we are asking the user to read a code from the screen of device 1 and type it into device 2. Both devices need the same psssword/PIN. > I'm now reading here > http://www.mail-archive.com/cryptogra...@metzdowd.com/msg09739.html that > J-PAKE is *proven* to be no weaker than the algorithms it relies on. I am very interested in hearing what people think about the validity of the proofs in the J-PAKE paper and whether any security considerations have been overlooked. FWIW, I am pretty sure that we will be having a discussion about SRP and other solutions to the problems that SRP solves when we do planning for post-FF4 releases. Implementing J-PAKE now for this one Sync use case doesn't mean that we will prefer J-PAKE for solving those other problems, and it doesn't mean that we've decided to avoid implementing SRP. Cheers, Brian -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
