W3C home > Mailing lists > Public > ietf-tls@w3.org > April to June 1996

Re: Password Authentication (was RE: Merged Transport Layer Protocol Development)

From: Tom Weinstein <tomw@netscape.com>
Date: Wed, 24 Apr 1996 23:21:12 -0700
Message-Id: <317F19D8.2F1C@netscape.com>
To: ietf-tls@w3.org
Dan Simon wrote:
> To me, the issue is not whether password authentication is weaker than
> authentication by certified asymmetric key; most everyone would agree
> that this is the case.  Unfortunately, for reasons ranging from
> established practice to portability issues to plain ignorance, many
> people will likely continue to use passwords for authentication for
> some time to come, whether protocol authors want them to or not.  The
> issue at hand is therefore whether password-based authentication must
> continue to be as weak as the encryption available (which is often, as
> we all know, woefully weak), or whether, by our protocol design
> choices, we can make the security of password authentication as strong
> as it can possibly be.
> Nobody advocates forcing people to use passwords (even if it were
> possible to do so).  The question is whether we can force them not to,
> and what to do given that we can't.  Anyone who doesn't trust
> password-based security is always free not to support it; in fact, it
> takes an explicit decision by both parties to share a password before
> password authentication even becomes possible.  People who make that
> decision are, in my view, no different from those who accept 40-bit
> encryption, or proprietary, relatively unstudied RC4 over
> heavily-analyzed (triple-)DES; we cryptographers might prefer that
> they choose otherwise, but we recognize that security must sometimes
> yield to other practical priorities.

I have to agree with Mr. Kemp.  Passwords for purposes of authentication
do not belong in a protocol that claims to provide cryptographic
security.  If you really want to use passwords, you can always do it in
an application level protocol.

What's wrong with public key cryptography?

Sure we spend a lot of money, but that doesn't mean | Tom Weinstein
we *do* anything.  --  Washington DC motto          | tomw@netscape.com
Received on Thursday, 25 April 1996 02:21:17 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:01:58 UTC