Earlier threads on this list seem to have focused debate on weak methods for password/passphrase/shared-secret authentication. Methods that are immune to unconstrained dictionary attack have been around since 1992, from Bellovin & Merritt's EKE family of protocols, to the SPEKE method developed by myself. I find it curious that the debate has settled down upon demonstrably weaker alternatives, as in the current drafts. I would suggest that the passauth-00.txt "Addition of Shared Key Authentication" document be modified to use strong password authentication. Presenting weak password authentication as an alternative to strong public-key methods seems sloppy. I really prefer the combination of strong public-key AND strong memorizable passwords, as two independent factors for authentication, but that's probably asking for a bit much at this point. ------------------------------------ David P. Jablon Integrity Sciences, Inc. Westboro, MA Tel: +1 508 898 9024 http://world.std.com/~dpj/ E-mail: dpj@world.std.comReceived on Thursday, 6 February 1997 18:51:03 EST
This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:34:58 EDT