W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > May to August 1999

Re: Password change via HTTP

From: Phillip Hallam-Baker <hallam@ai.mit.edu>
Date: Sat, 12 Jun 1999 23:24:20 -0400
Message-ID: <002d01beb54c$3b40ff90$0100a8c0@BANANAS>
To: "Alex Kodat" <ALEX@SIRIUS.sirius-software.com>, <http-wg@hplb.hpl.hp.com>
Some history.

    The HTTP Authentication metchanism was invented back in 1993. The
principle constraint on the design was the patent encumberances on all known
forms of public key cryptography. I would much have preferred to have been
able to propose a public key based scheme at that time.

    Today the Diffie Helleman patent has expired and the RSA patent will
expire in very short order. There is no reason to propose another password
based scheme. We should look to phase out the use of passwords entirely -
except for passphrases used to secure private keys.

    The PKIX group has proposed a complete set of standards for use and
management of PKI. Commercial products provide a complete infrastructure for
deployment in enterprises both large and small.

        Phill
Received on Sunday, 13 June 1999 04:34:19 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:31 EDT