Re: CompuServe Positions on Passphrases and TLS

• To: ietf-tls@w3.org, jmacko@nisa.compuserve.com
• Subject: Re: CompuServe Positions on Passphrases and TLS
• From: Rohit Khare <khare@w3.org>
• Date: Sat, 20 Jul 1996 17:42:43 -0400 (EDT)
• From ietf-tls-request@www10.w3.org Sat Jul 20 17: 42:46 1996

Your points on the security of well-built passphrase systems are excellent.

From an architectural standpoint, I thought the issue instead was:
What the !#$%@ are application-level authentication concepts doing in
a transport-level confidentiality protocol?

TLS is attacking a very appropriate solution for user-installable
confidential streams -- but they are streams, no more or less. I think
it's no more reasonable to run an application authentication and
authorization protocol than to sign a "document" within a stream
abstraction. 

Pass-phrase driven key-establishment *may* be an appropriate whistle for
TLS/SSL3 to address, but the service of exchanging passphrases securely
might well be out of scope.

Rohit Khare
(my opinions, not W3C's)

• Prev: RE: CompuServe Positions on Passphrases and TLS
• Next: CompuServe Positions on Passphrases and TLS
• Index: Message index of ietf-tls@w3.org mailing list
• Thread: Thread index of ietf-tls@w3.org mailing list