W3C home > Mailing lists > Public > ietf-tls@w3.org > July to September 1996

RE: CompuServe Positions on Passphrases and TLS

From: Dan Simon <dansimon@microsoft.com>
Date: Mon, 22 Jul 1996 11:09:12 -0700
Message-ID: <c=US%a=_%p=msft%l=RED-92-MSG-960722180912Z-1242@abash1.microsoft.com>
To: "'ietf-tls@w3.org'" <ietf-tls@w3.org>
Cc: "'jmacko@nisa.compuserve.com'" <jmacko@nisa.compuserve.com>, "'Rohit Khare'" <khare@w3.org>
>From: 	Rohit Khare[SMTP:khare@w3.org]
>
>From an architectural standpoint, I thought the issue instead was:
>What the !#$%@ are application-level authentication concepts doing in
>a transport-level confidentiality protocol?
>
If authentication is an "application-level" concept unfit for the TLS
layer, then most of the TLS handshake should be thrown away, since it
deals largely with authentication.  Personally, I consider
authentication to be far too sensitive a task to trust to applications.
(Then again, I also consider authorization to be far too sensitive a
task to trust to applications; how many operating systems, after all,
treat file access control as an application-level matter?)  But
regardless of where you think authentication should go, passphrase-based
authentication should obviously be in the same place as public-key-based
authentication, since they both perform the same function.  

As for authorization, the only people I can think of who are trying to
slip authorization into TLS are pushing attribute certificates, not
passphrase authentication.


				Daniel Simon
				Cryptographer, Microsoft Corp.
				dansimon@microsoft.com
>
Received on Monday, 22 July 1996 14:17:41 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:34:50 EDT