W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1995

Re: More KeyedDigest... Re: another Digest Access Authentication question

From: Eric W. Sink <eric@spyglass.com>
Date: Wed, 22 Mar 1995 09:06:27 -0600
Message-Id: <ab95ecaa050210040241@[192.246.238.160]>
To: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com

Phill writes:

[Note that I finally wised up and noticed that Phillip has TWO l's not one...]

>Personally I would prefer to encrypt the content using the shared secret
>(modified in some manner) and DES or IDEA. I did think of suggesting this
>at the
>time but then of course we are into massive ITAR problems :-( But no patent
>problems :-)
>
>
>We should probably have a bridge note written since S-HTTP has lots of shared
>secret mechanisms. Since we now have a shared secret we should employ it...
>
>The simplest mode would be to take the shared secret key  [MD5 (password,
>domain, username)] and XOR it with some random 128 bits. Then use the first 64
>bits for the key and the other 64 bits for the IV of the cipher. (PKCS
>#5). The
>random bitstring is needed because one should attempt to limit the
>quantities of
>ciphertext sent under the same key.

If we extend Digest authentication to support encryption, then it becomes
Something Else.  This newly created Something Else may be a really good
thing to have around, but it will indeed have "massive ITAR problems".
Digest Authentication is being proposed for inclusion in HTTP/1.1.  I don't
think we should make ITAR an issue in HTTP/1.1.


--
Eric W. Sink, Senior Software Engineer --  eric@spyglass.com

        http://www.spyglass.com/~eric/home.htm
Received on Wednesday, 22 March 1995 09:00:18 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:31:14 EDT