W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > May to August 1999

Re: Re: Password change via HTTP

From: Phillip Hallam-Baker <hallam@ai.mit.edu>
Date: Sun, 13 Jun 1999 19:21:13 -0400
Message-ID: <000901beb5f3$6f2f3e00$0100a8c0@BANANAS>
To: "Alex Kodat" <ALEX@SIRIUS.sirius-software.com>
Cc: <http-wg@hplb.hpl.hp.com>


>While I wholeheartedly agree that PKCS is *far* superior to password based
>schemes, I suspect passwords will be around for some time to come. The idea
>that every workstation out there will be equipped with smart-card readers
>and all users will be walking around with smart cards that contain their
>personal client certificate is lovely but not one I think we're likely
>to see everywhere for many years to come.

Smartcards are not a requirement for PKI. I have installed many PKIs
and very few use smartcards.


>Password based systems are just too easy to manage and can be trivially
>used with existing legacy systems.

Actually management of password systems in a large enterprise is far
from easy.

Management of passwords in a small system is no simpler than
locally issued certificates.

Either way, I don't think that the HTTP working group should spend
any more time trying to make passwords work when applications such
as SSH have demonstrated that public key based systems are more
feasible and easier to manage.


        Phill
Received on Monday, 14 June 1999 00:31:23 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:31 EDT