RE: CompuServe Positions on Passphrases and TLS

• To: "'ietf-tls@w3.org'" <ietf-tls@w3.org>
• Subject: RE: CompuServe Positions on Passphrases and TLS
• From: Dan Simon <dansimon@microsoft.com>
• Date: Mon, 22 Jul 1996 11:09:12 -0700
• Cc: "'jmacko@nisa.compuserve.com'" <jmacko@nisa.compuserve.com>, "'Rohit Khare'" <khare@w3.org>
• Encoding: 26 TEXT
• From ietf-tls-request@www10.w3.org Mon Jul 22 14: 17:41 1996

>From: 	Rohit Khare[SMTP:khare@w3.org]
>
>From an architectural standpoint, I thought the issue instead was:
>What the !#$%@ are application-level authentication concepts doing in
>a transport-level confidentiality protocol?
>
If authentication is an "application-level" concept unfit for the TLS
layer, then most of the TLS handshake should be thrown away, since it
deals largely with authentication.  Personally, I consider
authentication to be far too sensitive a task to trust to applications.
(Then again, I also consider authorization to be far too sensitive a
task to trust to applications; how many operating systems, after all,
treat file access control as an application-level matter?)  But
regardless of where you think authentication should go, passphrase-based
authentication should obviously be in the same place as public-key-based
authentication, since they both perform the same function.  

As for authorization, the only people I can think of who are trying to
slip authorization into TLS are pushing attribute certificates, not
passphrase authentication.


				Daniel Simon
				Cryptographer, Microsoft Corp.
				dansimon@microsoft.com
>

• Re: CompuServe Positions on Passphrases and TLS
• From: Tom Weinstein <tomw@netscape.com>

• Prev: Repost of CompuServe Position on Passphrases
• Next: Re: CompuServe Positions on Passphrases and TLS
• Index: Message index of ietf-tls@w3.org mailing list
• Thread: Thread index of ietf-tls@w3.org mailing list