>From: Rohit Khare[SMTP:khare@w3.org] > >From an architectural standpoint, I thought the issue instead was: >What the !#$%@ are application-level authentication concepts doing in >a transport-level confidentiality protocol? > If authentication is an "application-level" concept unfit for the TLS layer, then most of the TLS handshake should be thrown away, since it deals largely with authentication. Personally, I consider authentication to be far too sensitive a task to trust to applications. (Then again, I also consider authorization to be far too sensitive a task to trust to applications; how many operating systems, after all, treat file access control as an application-level matter?) But regardless of where you think authentication should go, passphrase-based authentication should obviously be in the same place as public-key-based authentication, since they both perform the same function. As for authorization, the only people I can think of who are trying to slip authorization into TLS are pushing attribute certificates, not passphrase authentication. Daniel Simon Cryptographer, Microsoft Corp. dansimon@microsoft.com >Received on Monday, 22 July 1996 14:17:41 EDT
This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:34:50 EDT