Comments on P1363.2 D25. August 24, 2006. Kaliski/1 (technical). D.22.214.171.124.1 [B15] also describes a multi-server scheme that obtains a retrieved key using just one PKRS-1 server, plus another non-PKRS-1 server.
August 24, 2006
“Alternatively, the master key could be derived from a single PKRS-1 retrieved key and a component stored on another (non-PKRS-1) server, where the Client must demonstrate knowledge of the retrieved key to the second server in order to obtain the component. This variant protects the password against compromise of the PKRS-1 server.”
“⎯ using oKCF = Hash(Z || ), which prevents the Server from fooling the Client without first correctly guessing the password, or”
“⎯ using oKCF = Hash(Hash(Z1||Z2|| … Zn) || ), where the Zi values are derived using PKRS-1 with n distinct Servers, which prevents each Server from fooling the Client without first correctly guessing the password, or”
Agree with these changes.