Re: CompuServe Positions on Passphrases and TLS

Your points on the security of well-built passphrase systems are excellent.

From an architectural standpoint, I thought the issue instead was:
What the !#$%@ are application-level authentication concepts doing in
a transport-level confidentiality protocol?

TLS is attacking a very appropriate solution for user-installable
confidential streams -- but they are streams, no more or less. I think
it's no more reasonable to run an application authentication and
authorization protocol than to sign a "document" within a stream

Pass-phrase driven key-establishment *may* be an appropriate whistle for
TLS/SSL3 to address, but the service of exchanging passphrases securely
might well be out of scope.

Rohit Khare
(my opinions, not W3C's)

Received on Saturday, 20 July 1996 17:42:46 UTC