- From: Rohit Khare <khare@w3.org>
- Date: Sat, 20 Jul 1996 17:42:43 -0400 (EDT)
- To: ietf-tls@w3.org, jmacko@nisa.compuserve.com
Your points on the security of well-built passphrase systems are excellent. From an architectural standpoint, I thought the issue instead was: What the !#$%@ are application-level authentication concepts doing in a transport-level confidentiality protocol? TLS is attacking a very appropriate solution for user-installable confidential streams -- but they are streams, no more or less. I think it's no more reasonable to run an application authentication and authorization protocol than to sign a "document" within a stream abstraction. Pass-phrase driven key-establishment *may* be an appropriate whistle for TLS/SSL3 to address, but the service of exchanging passphrases securely might well be out of scope. Rohit Khare (my opinions, not W3C's)
Received on Saturday, 20 July 1996 17:42:46 UTC