W3C home > Mailing lists > Public > ietf-tls@w3.org > July to September 1996

Re: Repost of CompuServe Position on Passphrases

From: David Wagner <daw@cs.berkeley.edu>
Date: 26 Jul 1996 02:47:26 -0700
To: ietf-tls@w3.org
Message-ID: <4ta47e$ik2@joseph.cs.berkeley.edu>
It seems to me that the discussion about whether to offer passphrase
authentication in TLS is a bit of a red herring.

If you want to present the passphrase authentication abstraction to the
user, then this is easy-- passphrases are (roughly speaking) a key management
technique, or are most powerful when used as such.  (Witness PGP's private
RSA key protected both by host security and a passphrase.)

Most of the requirements listed in your email can be satisfied by letting
the user see the passphrase user interface, using the passphrases for key
management, and using e.g. RSA keys for TLS key exchange.  (I'll certainly
admit that this is only roughly true-- for instance, the requirement that
folks be able to take their cryptographic secrets with them in their head,
without any floppy disks or whatnot, isn't solved by that paradigm-- but
it seems to cover most of the objections.)

Then again, I'm just starting to learn this stuff, so what do I know...
If I'm being dense, tell me to shut up. :-)

-- Dave Wagner, TLS.newbie-at-large.
Received on Friday, 26 July 1996 05:50:20 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:34:50 EDT