W3C home > Mailing lists > Public > ietf-tls@w3.org > July to September 1996

RE: Repost of CompuServe Position on Passphrases

From: Christopher Allen <ChristopherA@consensus.com>
Date: Wed, 31 Jul 1996 18:22:11 -0700
Message-Id: <v03007801ae25b6b9c78f@[157.22.240.192]>
To: ietf-tls@w3.org
At 5:46 PM -0700 7/31/96, Don Schmidt wrote:
>>>use use FTP's current password methods to authenticate the client.
>>>Same can be done with HTTP using it's current auth structure,
>>and most every other protocol over SSL.
>
>is precisely one of the problems that including a standard shared-secret
>auth mechanism in TLS is designed to solve.  Each one of these protocols
>does password auth in an app specific manner.  It would greatly simplify
>the development, deployment and administration of secured apps if there
>is was one system-level protocol and I/F for security.  This is a
>benefit of TLS for certificate-based auth.  When it is within our grasp,
>who are we to deny the same benefit to  applications or service
>providers that have reasons to continue to use shared-secret based auth?

But if you are going to do that much engineering to change software to "one
system-level protocol", then it should be a small step to using
certificates correctly. If legacy is important, they use the application
level AUTH commands over SSL. If you are doing something new, use
certificates.

------------------------------------------------------------------------
..Christopher Allen                  Consensus Development Corporation..
..<ChristopherA@consensus.com>                 1563 Solano Avenue #355..
..                                             Berkeley, CA 94707-2116..
..Home of "SSL Plus:                      o510/559-1500  f510/559-1505..
..  Security Integration Suite(tm)" <http://www.consensus.com/SSLPlus>..
Received on Wednesday, 31 July 1996 21:22:30 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:34:50 EDT