Re: More KeyedDigest... Re: another Digest Access Authentication question

Phill writes:

[Note that I finally wised up and noticed that Phillip has TWO l's not one...]

>Personally I would prefer to encrypt the content using the shared secret
>(modified in some manner) and DES or IDEA. I did think of suggesting this
>at the
>time but then of course we are into massive ITAR problems :-( But no patent
>problems :-)
>We should probably have a bridge note written since S-HTTP has lots of shared
>secret mechanisms. Since we now have a shared secret we should employ it...
>The simplest mode would be to take the shared secret key  [MD5 (password,
>domain, username)] and XOR it with some random 128 bits. Then use the first 64
>bits for the key and the other 64 bits for the IV of the cipher. (PKCS
>#5). The
>random bitstring is needed because one should attempt to limit the
>quantities of
>ciphertext sent under the same key.

If we extend Digest authentication to support encryption, then it becomes
Something Else.  This newly created Something Else may be a really good
thing to have around, but it will indeed have "massive ITAR problems".
Digest Authentication is being proposed for inclusion in HTTP/1.1.  I don't
think we should make ITAR an issue in HTTP/1.1.

Eric W. Sink, Senior Software Engineer --

Received on Wednesday, 22 March 1995 09:00:18 UTC