- From: Jeff Weinstein <jsw@netscape.com>
- Date: Mon, 14 Oct 1996 23:35:29 -0700
- To: Bennet Yee <bsy@cs.ucsd.edu>
- CC: ietf-tls@w3.org
Bennet Yee wrote: > > I've been too busy, but felt this deserves a reply. > > Jeff Weinstein wrote regarding password mechanisms: > > Also note that these protocols (HTTP, POP, etc.) have to solve this > > problem anyway, since they will generally not be used with TLS any > > time soon. Since they are already solving the problem, why do we > > need to do it again? > > All programs must do I/O. Since they all have to figure out how to do > so, why provide them with operating systems or standard libraries to > help them? There is a difference. All these programs run on operating systems. They require the OS to run. My point was that these protocols MUST be able to do strong authentication in the absence of TLS, therefore they are already solving this problem. If we go down this road, we will have clients that want to do https: with HTTP digest auth trying to communicate with servers that want to do https: with TLS password auth and no HTTP auth. This will lead to interoperability hell, since there will be two common methods for doing the same thing, with no clear consensus. --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw@netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine.
Received on Tuesday, 15 October 1996 02:38:30 UTC