This generally seems like the wrong layer to add password based authentication. Connections in modern browsers are shared across several domains and it would create ambient authority. An exported Authenticator would be a better approach
-
-
-
I came to the exact same conclusion.
- 1 more reply
New conversation -
-
-
Isn’t SRP standardized as a TLS ciphersuite and implemented in OpenSSL?
-
It is, but SRP is only defined with CBC mode ciphersuites, which have some performance and security issues. No reason SRP AEAD suites could not be created, but OpenSSL does not have those.
- 1 more reply
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.