W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > May to August 1997

Re: http-digest-aa-rev-00.txt

From: John Franks <john@math.nwu.edu>
Date: Wed, 6 Aug 1997 09:12:16 -0500 (CDT)
To: David Jablon <dpj@world.std.com>
Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Message-Id: <Pine.SUN.3.96.970806085335.26845B-100000@hopf.math.nwu.edu>
On Wed, 6 Aug 1997, David Jablon wrote:

> Gentlemen,
> 
> I support your goal of replacing the clear-text
> password method in HTTP with something stronger, but I
> wonder about why you didn't consider something stronger.
> Several password-based protocols are known that
> are much better than the one described in this
> document:
> 

To quote from the draft:

   "Digest Authentication does not provide a strong authentication
   mechanism.  That is not its intent.  It is intended solely to replace
   a much weaker and even more dangerous authentication mechanism: Basic
   Authentication.  An important design constraint is that the new
   authentication scheme be free of patent and export restrictions."

The necessity to avoid any patent and export restrictions is
fundamental.  In particular, protocols which make any use of
public-key techniques are not acceptable.


John Franks 	Dept of Math. Northwestern University
		john@math.nwu.edu
Received on Wednesday, 6 August 1997 07:13:52 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:32:50 EDT