W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1997

Re: Digest Authentication, Netscape, and Microsoft

From: Scott Lawrence <lawrence@agranat.com>
Date: Thu, 17 Apr 1997 12:01:45 -0400
Message-Id: <199704171601.MAA11507@devnix.agranat.com>
To: Ari Luotonen <luotonen@netscape.com>
Cc: Hallam-Baker <hallam@ai.mit.edu>, dan@spyglass.com, http-wg@cuckoo.hpl.hp.com

>>>>> "AL" == Ari Luotonen <luotonen@netscape.com> writes:

AL> SSL does allow a null-cipher -- in Netscape Servers it's enabled via
AL> choice "No encryption, only MD5 message authentication".  This
AL> provides certificate based authentication and message integrity on
AL> HTTP data, but the data is not encrypted, so there's minimal overhead.

  It is not nearly as minimal as 2069 - in order use even a null
  cipher, I must be able to process a certificate.  For a good many
  systems, this is too costly (in code to do public key certificate
  handling, and licensing of that technology) and not justified by the
  product requirements.  I don't want to do RSA code in an ethernet
  repeater or a web coffeepot (and only one of those is a frivolous
  example).

  Certificate based security is wonderfull, and I fully support its
  wide use in the Internet and incorporation into all sorts of
  standards, but it is _not_ a replacement for simpler schemes which
  have different requirements.

--
Scott Lawrence           EmWeb Embedded Server       <lawrence@agranat.com>
Agranat Systems, Inc.        Engineering            http://www.agranat.com/
Received on Thursday, 17 April 1997 09:05:02 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:32:34 EDT