W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > May to August 1997

Re: http-digest-aa-rev-00.txt

From: David Jablon <dpj@world.std.com>
Date: Wed, 06 Aug 1997 13:48:46 -0400
Message-Id: <3.0.1.16.19970806134846.08b78432@world.std.com>
To: John Franks <john@math.nwu.edu>
Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
At 09:12 AM 8/6/97 -0500, John Franks wrote:
>On Wed, 6 Aug 1997, David Jablon wrote:
>
>> Gentlemen,
>> 
>> I support your goal of replacing the clear-text
>> password method in HTTP with something stronger, but I
>> wonder about why you didn't consider something stronger.
>> Several password-based protocols are known that
>> are much better than the one described in this
>> document:
>> 
>
>To quote from the draft:
>
>   "Digest Authentication does not provide a strong authentication
>   mechanism.  That is not its intent.  It is intended solely to replace
>   a much weaker and even more dangerous authentication mechanism: Basic
>   Authentication.  An important design constraint is that the new
>   authentication scheme be free of patent and export restrictions."
>
>The necessity to avoid any patent and export restrictions is
>fundamental.  In particular, protocols which make any use of
>public-key techniques are not acceptable.

Why?

As I understand export regulations, no authentication-only method
is export controlled.  As for patent restrictions, have you
actually done an investigation into these?

I'd like to better understand your concerns here, with regard
to both patents and public-key techniques.  To rule out the entire
category of public-key assisted methods seems extremely
limiting, and a clear rationale for such a fundamental
restriction is certainly missing from the draft.
Received on Wednesday, 6 August 1997 10:59:50 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:32:50 EDT