W3C home > Mailing lists > Public > ietf-tls@w3.org > April to June 1996

Re: Password Authentication (was RE: Merged Transport Layer Protocol Development)

From: Tom Weinstein <tomw@netscape.com>
Date: Wed, 24 Apr 1996 23:21:12 -0700
Message-Id: <317F19D8.2F1C@netscape.com>
To: ietf-tls@w3.org
Dan Simon wrote:
> 
> To me, the issue is not whether password authentication is weaker than
> authentication by certified asymmetric key; most everyone would agree
> that this is the case.  Unfortunately, for reasons ranging from
> established practice to portability issues to plain ignorance, many
> people will likely continue to use passwords for authentication for
> some time to come, whether protocol authors want them to or not.  The
> issue at hand is therefore whether password-based authentication must
> continue to be as weak as the encryption available (which is often, as
> we all know, woefully weak), or whether, by our protocol design
> choices, we can make the security of password authentication as strong
> as it can possibly be.
> 
> Nobody advocates forcing people to use passwords (even if it were
> possible to do so).  The question is whether we can force them not to,
> and what to do given that we can't.  Anyone who doesn't trust
> password-based security is always free not to support it; in fact, it
> takes an explicit decision by both parties to share a password before
> password authentication even becomes possible.  People who make that
> decision are, in my view, no different from those who accept 40-bit
> encryption, or proprietary, relatively unstudied RC4 over
> heavily-analyzed (triple-)DES; we cryptographers might prefer that
> they choose otherwise, but we recognize that security must sometimes
> yield to other practical priorities.

I have to agree with Mr. Kemp.  Passwords for purposes of authentication
do not belong in a protocol that claims to provide cryptographic
security.  If you really want to use passwords, you can always do it in
an application level protocol.

What's wrong with public key cryptography?

-- 
Sure we spend a lot of money, but that doesn't mean | Tom Weinstein
we *do* anything.  --  Washington DC motto          | tomw@netscape.com
Received on Thursday, 25 April 1996 02:21:17 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:34:48 EDT