W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > May to August 1999

Re: Password change via HTTP

From: Alex Kodat <ALEX@SIRIUS.sirius-software.com>
Date: Sun, 13 Jun 99 09:55:47 EDT
Message-Id: <199906131411.PAA20553@hplb.hpl.hp.com>
To: hallam@ai.mit.edu
Cc: http-wg@hplb.hpl.hp.com
In-Reply-To:  Message of Sat, 12 Jun 1999 23:24:20 -0400 from <hallam@ai.mit.>

While I wholeheartedly agree that PKCS is *far* superior to password based
schemes, I suspect passwords will be around for some time to come. The idea
that every workstation out there will be equipped with smart-card readers
and all users will be walking around with smart cards that contain their
personal client certificate is lovely but not one I think we're likely
to see everywhere for many years to come.

Password based systems are just too easy to manage and can be trivially
used with existing legacy systems. It's kinda like the https vs. shttp
issue or electronic wallets vs. credit card numbers over SSL: the
obviously superior technology is adopted slowly because the easier to
manage technology is considered "good enough" (BTS) and has virtually
no administrative overhead whereas the newer superior technology has
considerable administrative overhead.

Just a prediction that 10 years from now people will still be using
passwords with we-based applications and will still be sending credit
card numbers over SSL. If there's a way I can help our customers using
password based systems I'd like to be able to do so.

Alex Kodat
Sirius Software
Cambridge, MA
Received on Sunday, 13 June 1999 15:11:32 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:31 EDT