Re: http-digest-aa-rev-00.txt

At 09:12 AM 8/6/97 -0500, John Franks wrote:
>On Wed, 6 Aug 1997, David Jablon wrote:
>
>> Gentlemen,
>> 
>> I support your goal of replacing the clear-text
>> password method in HTTP with something stronger, but I
>> wonder about why you didn't consider something stronger.
>> Several password-based protocols are known that
>> are much better than the one described in this
>> document:
>> 
>
>To quote from the draft:
>
>   "Digest Authentication does not provide a strong authentication
>   mechanism.  That is not its intent.  It is intended solely to replace
>   a much weaker and even more dangerous authentication mechanism: Basic
>   Authentication.  An important design constraint is that the new
>   authentication scheme be free of patent and export restrictions."
>
>The necessity to avoid any patent and export restrictions is
>fundamental.  In particular, protocols which make any use of
>public-key techniques are not acceptable.

Why?

As I understand export regulations, no authentication-only method
is export controlled.  As for patent restrictions, have you
actually done an investigation into these?

I'd like to better understand your concerns here, with regard
to both patents and public-key techniques.  To rule out the entire
category of public-key assisted methods seems extremely
limiting, and a clear rationale for such a fundamental
restriction is certainly missing from the draft.

Received on Wednesday, 6 August 1997 10:59:50 UTC