W3C home > Mailing lists > Public > ietf-tls@w3.org > October to December 1996

Re: Closing on shared-key authentication

From: Jeff Williams <jwkckid1@ix.netcom.com>
Date: Fri, 11 Oct 1996 15:32:45 -0500
Message-Id: <>
To: Tom Weinstein <tomw@netscape.com>
Cc: ietf-tls@w3.org

Please read below your comments.

At 10:51 AM 10/11/96 -0700, you wrote:
>Marc VanHeyningen wrote:
>> > - The only security reason for including password auth in TLS is
>> >   that it gains stronger security by having access to strong crypto
>> >   in the export case.  I don't think we should include features this
>> >   major based solely on brain-damaged US export regulations that
>> >   will hopefully soon change.
>> Seems to me that's only if you assume the best way to secure password
>> auth is to just encrypt the password, as opposed to using other
>> more sophisticated methods.
>No, you should certainly do something more than just send the password
>encrypted.  You should avoid sending the password at all, encrypted or
>otherwise.  Some sort of challenge/response mechanism would be
>appropriate, but you are protected from eavesdroppers if you encrypt
>the data.

  I think that this is a good idea to incorporate in TLS, or at least provide
for that option in the protocol.
>> It also is true only if you're willing to accept authentication that
>> is dependent upon the security of the encryption; some people feel
>> this is undesrable for reasons having nothing to do with export
>> regulations.
>Do you suggest that the encryption (even 40-bit) is the weak link in
>this scheme?  I don't think so.  While there may be some advantages to
>be gained by moving the dependency up to the security of the key
>exchange from that of the bulk cipher, I don't think they outweigh the

  I just can't agree compleatly with you here Tom.  40 bit has already been
broken and can easly be broken again in about 2 seconds.  


>You should only break rules of style if you can    | Tom Weinstein
>coherently explain what you gain by so doing.      | tomw@netscape.com
Jeffrey A. Williams
SR.Internet Network Eng. 
CEO., IEG., INC.,  Representing PDS .Ltd.
Web: http://www.pds-link.com 
Phone: 214-793-7445 (Direct Line)
Director of Network Eng. and Development IEG. INC.
Received on Friday, 11 October 1996 16:57:08 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:01:58 UTC