draft-josefsson-password-auth-00.txt
Martin Rex
Martin.Rex at sap.com
Thu Mar 29 18:08:33 CEST 2007
Nicolas Williams wrote:
>
> On Thu, Mar 29, 2007 at 04:28:30PM +0200, Martin Rex wrote:
> > Most challenge-response protocols perform a unidirectional
> > authentication of the client/initiator to the server/acceptor only,
> > and for those the authentication scheme usually does not have
> > a name for the acceptor.
>
> Understood. Perhaps then what I should have said is that when mutual
> authentication is requested then the password should be salted with the
> acceptor name.
At first glance I think it should be OK if some kind of channel bindings
are included in (hashed into) the challenge-response exchange.
-Martin
More information about the Password-auth
mailing list