| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20060313230221.GF3298@sentinelchicken.org> Date: Mon Mar 13 23:02:30 2006 From: tim-security at sentinelchicken.org (Tim) Subject: HTTP AUTH BASIC monowall. > Although something else may have been intended by using the phrase > "password-authenticated key agreement", lets not forget that's all PKI is - > key agreement based on verifying a password. > At the server end, the site admins password is verified e.g. for SSL servers > At the client, if you're lucky, the user chose a hard to crack password. Hmm... Your terminology is sounding a bit off. Passwords are symmetric keys. PKI stands for Public Key Infrastructure. I think what you mean here is that the server's public key (contained in the certificate) is verified based on a provided signature/challenge generated by the server's private key, and by signatures of "trusted" certificate authorities, along with a whole host of other things. Sure the site admins may protect their private key with a password, but even if they don't, it has nothing to do with the PKI. As for the client side, they usually use passwords, but they may also use client-side certificates in SSL with no password at all. > That, and the access controls on each ndpoint is all that authenticates any > PKI-based schema. True, if you are worried about local attackers at the endpoint. These access controls are usually permissions in conjunction with a symmetric key (password). tim
Powered by blists - more mailing lists