RE: Repost of CompuServe Position on Passphrases

> From: Keith Ball <>
> The issues for password seem to be based on technical strength versus
> business need.
>   [...]
> Has anyone tried a compromise?  How about making it so additional
> authentication methods could be added to the handshake protocol.

No. The "good" (again, I don't think static passords themselves are
a good idea) thing about the current password proposal is that it
cannot corrupt the authentication mechanism used by TLS.

The only thing the proposal does is protect passwords from sniffers
*using* the authentication strength of TLS instead of it's (possibly weaker)
encryption strength.  This is a safe technical option - it does not
reduce the strength of TLS authentication or encryption.

It may or may not weaken the public perception of TLS - and I by virtue
of being employed by the Government am utterly unqualified to take
any credible position on PR questions :-).

It is just important to remember that the password question as it
stands is entirely an issue of perception, not of technical strength,
and it will have to be decided accordingly.

Received on Monday, 29 July 1996 09:50:33 UTC