W3C home > Mailing lists > Public > ietf-tls@w3.org > July to September 1996

Re: CompuServe Positions on Passphrases and TLS

From: Rohit Khare <khare@w3.org>
Date: Sat, 20 Jul 1996 17:42:43 -0400 (EDT)
Message-Id: <199607202142.RAA06414@anansi.w3.org>
To: ietf-tls@w3.org, jmacko@nisa.compuserve.com
Your points on the security of well-built passphrase systems are excellent.

From an architectural standpoint, I thought the issue instead was:
What the !#$%@ are application-level authentication concepts doing in
a transport-level confidentiality protocol?

TLS is attacking a very appropriate solution for user-installable
confidential streams -- but they are streams, no more or less. I think
it's no more reasonable to run an application authentication and
authorization protocol than to sign a "document" within a stream
abstraction. 

Pass-phrase driven key-establishment *may* be an appropriate whistle for
TLS/SSL3 to address, but the service of exchanging passphrases securely
might well be out of scope.

Rohit Khare
(my opinions, not W3C's)
Received on Saturday, 20 July 1996 17:42:46 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:34:50 EDT