[tptacek]

No, Zed. A timing attack based on password length in SRP is not really legitimate.

As you know, I read your code, and I know you're not using HMAC. I'm saying that timing SRP based on passwords is like timing HMAC based on the key: ie, not how a timing attack on SRP would actually work.

I'm going to let someone else chime in and add details to this, because when you and I argue, it just becomes a crazy personality-driven soap opera. I have approximately the same issue with Kaminsky, so don't think that's somehow a criticism of you.

For the record: I'm not a real cryptographer. We do have some on HN. Colin Percival is really a cryptographer; he has been published multiple times in the literature. What I do is get paid to break systems, and I've been on a tear through crypto features in the last couple years. I am a second-rate Nate Lawson. That's all the background needed to sniff-test this Twitter dialog.