- From: Eric W. Sink <eric@spyglass.com>
- Date: Wed, 22 Mar 1995 09:06:27 -0600
- To: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Phill writes:
[Note that I finally wised up and noticed that Phillip has TWO l's not one...]
>Personally I would prefer to encrypt the content using the shared secret
>(modified in some manner) and DES or IDEA. I did think of suggesting this
>at the
>time but then of course we are into massive ITAR problems :-( But no patent
>problems :-)
>
>
>We should probably have a bridge note written since S-HTTP has lots of shared
>secret mechanisms. Since we now have a shared secret we should employ it...
>
>The simplest mode would be to take the shared secret key [MD5 (password,
>domain, username)] and XOR it with some random 128 bits. Then use the first 64
>bits for the key and the other 64 bits for the IV of the cipher. (PKCS
>#5). The
>random bitstring is needed because one should attempt to limit the
>quantities of
>ciphertext sent under the same key.
If we extend Digest authentication to support encryption, then it becomes
Something Else. This newly created Something Else may be a really good
thing to have around, but it will indeed have "massive ITAR problems".
Digest Authentication is being proposed for inclusion in HTTP/1.1. I don't
think we should make ITAR an issue in HTTP/1.1.
--
Eric W. Sink, Senior Software Engineer -- eric@spyglass.com
http://www.spyglass.com/~eric/home.htm
Received on Wednesday, 22 March 1995 09:00:18 UTC