undefined | Better HN

0 pointsprophesi6y ago0 comments

From what I've gathered from the discussions & links on here:

Our current solution for password authentication is perfectly fine, unless you distrust your CA's.

SRP itself is a bit of a mess, and has gone through a lot of iterations to fix its faults. OPAQUE is probably your best bet. But implementing the protocol seems like overkill for password auth, and is easy to implement improperly.

Such PAKE's will likely prove to have other good use-cases, however, like magic-wormhole.

0 comments

1 comments · 1 top-level

tptacek6y ago

This sounds about right? Nobody really "trusts" CAs, but the whole WebPKI system that surrounds it is a lot more intricate than most people understand, and we've reached a sort of trust detente with it. The pressure to replace it root-and-branch is mostly gone now, and whatever replaces it, it won't be PAKEs.

I like PAKEs just fine and in particular really like Magic Wormhole.

j / k navigate · click thread line to collapse