W3C home > Mailing lists > Public > ietf-tls@w3.org > July to September 1996

Re: Repost of CompuServe Position on Passphrases

From: Jeff Weinstein <jsw@netscape.com>
Date: Fri, 26 Jul 1996 02:56:27 -0700
Message-ID: <31F8964B.54F8@netscape.com>
To: "David P. Kemp" <dpkemp@missi.ncsc.mil>
CC: ietf-tls@w3.org
David P. Kemp wrote:
> 
> > From ietf-tls-request@w3.org Thu Jul 25 06:36:35 1996
> > Resent-Date: Thu, 25 Jul 1996 06:36:08 -0400
> From: Jeff Weinstein <jsw@netscape.com>
> 
> >       2) many (most?) people reuse their passwords.
> 
> That is a good argument for requiring that users not be allowed
> to choose their passwords.  Isn't that standard practice at most
> web sites that use basic auth - the content provider, not the user,
> picks the password?

  I have accounts on over a dozen sites that use basic auth on
the internet.  In every case I provided my own username and
password.  If these sites forced passwords on users they would
end up with a lot less subscribers.

> Don't get me wrong - I believe there is not a single good thing
> that can be said about static passwords. But the question here is
> should the TLS protocol support strong protection for them.  As
> the proposal appears to have no negative effect on the rest of
> TLS, I don't see a reason for opposing the password proposal.

  I think that including password authentication does weaken
TLS.  Every time someones password is stolen and used to
impersonate someone using TLS, it will weaken the public
perception of the standard.  I realize that this is not a
technical concern, but it is a real one.

	--Jeff

-- 
Jeff Weinstein - Electronic Munitions Specialist
Netscape Communication Corporation
jsw@netscape.com - http://home.netscape.com/people/jsw
Any opinions expressed above are mine.
Received on Friday, 26 July 1996 05:58:41 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:34:50 EDT