- From: Phillip Hallam-Baker <hallam@ai.mit.edu>
- Date: Sat, 12 Jun 1999 23:24:20 -0400
- To: Alex Kodat <ALEX@sirius.sirius-software.com>, http-wg@hplb.hpl.hp.com
Some history.
The HTTP Authentication metchanism was invented back in 1993. The
principle constraint on the design was the patent encumberances on all known
forms of public key cryptography. I would much have preferred to have been
able to propose a public key based scheme at that time.
Today the Diffie Helleman patent has expired and the RSA patent will
expire in very short order. There is no reason to propose another password
based scheme. We should look to phase out the use of passwords entirely -
except for passphrases used to secure private keys.
The PKIX group has proposed a complete set of standards for use and
management of PKI. Commercial products provide a complete infrastructure for
deployment in enterprises both large and small.
Phill
Received on Saturday, 12 June 1999 20:36:29 UTC