- From: Jeff Weinstein <jsw@netscape.com>
- Date: Fri, 26 Jul 1996 02:56:27 -0700
- To: "David P. Kemp" <dpkemp@missi.ncsc.mil>
- CC: ietf-tls@w3.org
David P. Kemp wrote: > > > From ietf-tls-request@w3.org Thu Jul 25 06:36:35 1996 > > Resent-Date: Thu, 25 Jul 1996 06:36:08 -0400 > From: Jeff Weinstein <jsw@netscape.com> > > > 2) many (most?) people reuse their passwords. > > That is a good argument for requiring that users not be allowed > to choose their passwords. Isn't that standard practice at most > web sites that use basic auth - the content provider, not the user, > picks the password? I have accounts on over a dozen sites that use basic auth on the internet. In every case I provided my own username and password. If these sites forced passwords on users they would end up with a lot less subscribers. > Don't get me wrong - I believe there is not a single good thing > that can be said about static passwords. But the question here is > should the TLS protocol support strong protection for them. As > the proposal appears to have no negative effect on the rest of > TLS, I don't see a reason for opposing the password proposal. I think that including password authentication does weaken TLS. Every time someones password is stolen and used to impersonate someone using TLS, it will weaken the public perception of the standard. I realize that this is not a technical concern, but it is a real one. --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw@netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine.
Received on Friday, 26 July 1996 05:58:41 UTC