- From: David P. Kemp <dpkemp@missi.ncsc.mil>
- Date: Mon, 29 Jul 1996 09:49:52 -0400
- To: ietf-tls@w3.org
> From: Keith Ball <Keith_Ball@novell.com> > > The issues for password seem to be based on technical strength versus > business need. > [...] > Has anyone tried a compromise? How about making it so additional > authentication methods could be added to the handshake protocol. No. The "good" (again, I don't think static passords themselves are a good idea) thing about the current password proposal is that it cannot corrupt the authentication mechanism used by TLS. The only thing the proposal does is protect passwords from sniffers *using* the authentication strength of TLS instead of it's (possibly weaker) encryption strength. This is a safe technical option - it does not reduce the strength of TLS authentication or encryption. It may or may not weaken the public perception of TLS - and I by virtue of being employed by the Government am utterly unqualified to take any credible position on PR questions :-). It is just important to remember that the password question as it stands is entirely an issue of perception, not of technical strength, and it will have to be decided accordingly.
Received on Monday, 29 July 1996 09:50:33 UTC