couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Klaus Trainer (JIRA)" <>
Subject [jira] [Assigned] (COUCHDB-2100) Implement TLS-SRP (RFC 5054)
Date Mon, 24 Feb 2014 15:41:22 GMT


Klaus Trainer reassigned COUCHDB-2100:

    Assignee: Klaus Trainer

> Implement TLS-SRP (RFC 5054)
> ----------------------------
>                 Key: COUCHDB-2100
>                 URL:
>             Project: CouchDB
>          Issue Type: New Feature
>      Security Level: public(Regular issues) 
>          Components: HTTP Interface
>            Reporter: Klaus Trainer
>            Assignee: Klaus Trainer
> TLS-SRP, which provides a password-based mutual (i.e., for both client
> and server) authentication for TLS, is supported in Erlang/OTP since
> R16B01.
> As implementing support for TLS-SRP in CouchDB would mean to just add
> new functionality, it can likely be implemented without making CouchDB
> incompatible with older Erlang/OTP releases at the same time.  With
> regard to the ssl application API, adding TLS-SRP-support would
> concretely mean to add additional options (i.e., `srp_identity` and
> `user_lookup_fun`) when calling `listen` or rather `connect` in the case
> that TLS-SRP is supported in that particular version of the ssl
> application.
> Advantages:
> * Users can use TLS without having to deal with certificate authorities.
> * Password authentication is less prone than certificate authentication
>   to certain types of configuration mistakes, such as expired
>   certificates or mismatched common name fields.
> * TLS-SRP is forward-secure.
> Disadvantages:
> * While there are several TLS-SRP implementations out there (e.g., in
>   GnuTLS, OpenSSL, Apache mod_gnutls, cURL, TLS Lite, and
>   SecureBlackbox), it is still not implemented in browsers.
> * If an attacker learns a user's SRP verifier (e.g., by gaining access
>   to a user document), the attacker can masquerade as the real server to
>   that user (c.f. section 3.3 in RFC 5054).

This message was sent by Atlassian JIRA

View raw message