Re: Closing on shared-key authentication

> No, you should certainly do something more than just send the password
> encrypted.  You should avoid sending the password at all, encrypted or
> otherwise.  Some sort of challenge/response mechanism would be
> appropriate, but you are protected from eavesdroppers if you encrypt
> the data.

True.  I'm clearly misunderstanding you then.  You said previously:

>There is no need to add a mechanism
>to TLS when all existing protocols already have a password mechanims.

I assumed the password mechanisms that you meant there were
cleartext ones, not more sophisticated ones based on challenge-response
or keyed hashes or anything else.  Was I wrong?

I believe there is a need to add a mechanism to TLS because, while all
existing protocols have password mechanisms, they're lousy ones.

- Marc

Received on Friday, 11 October 1996 14:43:04 UTC