- From: Dan Simon <dansimon@microsoft.com>
- Date: Mon, 22 Jul 1996 11:09:12 -0700
- To: "'ietf-tls@w3.org'" <ietf-tls@w3.org>
- Cc: "'jmacko@nisa.compuserve.com'" <jmacko@nisa.compuserve.com>, "'Rohit Khare'" <khare@w3.org>
>From: Rohit Khare[SMTP:khare@w3.org] > >From an architectural standpoint, I thought the issue instead was: >What the !#$%@ are application-level authentication concepts doing in >a transport-level confidentiality protocol? > If authentication is an "application-level" concept unfit for the TLS layer, then most of the TLS handshake should be thrown away, since it deals largely with authentication. Personally, I consider authentication to be far too sensitive a task to trust to applications. (Then again, I also consider authorization to be far too sensitive a task to trust to applications; how many operating systems, after all, treat file access control as an application-level matter?) But regardless of where you think authentication should go, passphrase-based authentication should obviously be in the same place as public-key-based authentication, since they both perform the same function. As for authorization, the only people I can think of who are trying to slip authorization into TLS are pushing attribute certificates, not passphrase authentication. Daniel Simon Cryptographer, Microsoft Corp. dansimon@microsoft.com >
Received on Monday, 22 July 1996 14:17:41 UTC