- From: David Wagner <daw@cs.berkeley.edu>
- Date: 26 Jul 1996 02:47:26 -0700
- To: ietf-tls@w3.org
It seems to me that the discussion about whether to offer passphrase authentication in TLS is a bit of a red herring. If you want to present the passphrase authentication abstraction to the user, then this is easy-- passphrases are (roughly speaking) a key management technique, or are most powerful when used as such. (Witness PGP's private RSA key protected both by host security and a passphrase.) Most of the requirements listed in your email can be satisfied by letting the user see the passphrase user interface, using the passphrases for key management, and using e.g. RSA keys for TLS key exchange. (I'll certainly admit that this is only roughly true-- for instance, the requirement that folks be able to take their cryptographic secrets with them in their head, without any floppy disks or whatnot, isn't solved by that paradigm-- but it seems to cover most of the objections.) Then again, I'm just starting to learn this stuff, so what do I know... If I'm being dense, tell me to shut up. :-) -- Dave Wagner, TLS.newbie-at-large.
Received on Friday, 26 July 1996 05:50:20 UTC