RE: Repost of CompuServe Position on Passphrases

• To: ietf-tls@w3.org
• Subject: RE: Repost of CompuServe Position on Passphrases
• From: dpkemp@missi.ncsc.mil (David P. Kemp)
• Date: Mon, 29 Jul 1996 09:49:52 -0400
• From ietf-tls-request@www10.w3.org Mon Jul 29 09: 50:33 1996
• Message-Id: <199607291349.JAA00388@argon.ncsc.mil>
• X-List-URL: http://lists.w3.org/Archives/Public/ietf-tls
• X-Sun-Charset: US-ASCII

> From: Keith Ball <Keith_Ball@novell.com>
> 
> The issues for password seem to be based on technical strength versus
> business need.
>   [...]
> Has anyone tried a compromise?  How about making it so additional
> authentication methods could be added to the handshake protocol.


No. The "good" (again, I don't think static passords themselves are
a good idea) thing about the current password proposal is that it
cannot corrupt the authentication mechanism used by TLS.

The only thing the proposal does is protect passwords from sniffers
*using* the authentication strength of TLS instead of it's (possibly weaker)
encryption strength.  This is a safe technical option - it does not
reduce the strength of TLS authentication or encryption.

It may or may not weaken the public perception of TLS - and I by virtue
of being employed by the Government am utterly unqualified to take
any credible position on PR questions :-).

It is just important to remember that the password question as it
stands is entirely an issue of perception, not of technical strength,
and it will have to be decided accordingly.

• Prev: RE: Repost of CompuServe Position on Passphrases
• Next: DIMACS Workshop on Trust Management in Networks
• Index: Message index of ietf-tls@w3.org mailing list
• Thread: Thread index of ietf-tls@w3.org mailing list