- From: Phillip Hallam-Baker <hallam@ai.mit.edu>
- Date: Sat, 12 Jun 1999 23:24:20 -0400
- To: Alex Kodat <ALEX@sirius.sirius-software.com>, http-wg@hplb.hpl.hp.com
Some history. The HTTP Authentication metchanism was invented back in 1993. The principle constraint on the design was the patent encumberances on all known forms of public key cryptography. I would much have preferred to have been able to propose a public key based scheme at that time. Today the Diffie Helleman patent has expired and the RSA patent will expire in very short order. There is no reason to propose another password based scheme. We should look to phase out the use of passwords entirely - except for passphrases used to secure private keys. The PKIX group has proposed a complete set of standards for use and management of PKI. Commercial products provide a complete infrastructure for deployment in enterprises both large and small. Phill
Received on Saturday, 12 June 1999 20:36:29 UTC