RE: Repost of CompuServe Position on Passphrases

At 5:46 PM -0700 7/31/96, Don Schmidt wrote:
>>>use use FTP's current password methods to authenticate the client.
>>>Same can be done with HTTP using it's current auth structure,
>>and most every other protocol over SSL.
>is precisely one of the problems that including a standard shared-secret
>auth mechanism in TLS is designed to solve.  Each one of these protocols
>does password auth in an app specific manner.  It would greatly simplify
>the development, deployment and administration of secured apps if there
>is was one system-level protocol and I/F for security.  This is a
>benefit of TLS for certificate-based auth.  When it is within our grasp,
>who are we to deny the same benefit to  applications or service
>providers that have reasons to continue to use shared-secret based auth?

But if you are going to do that much engineering to change software to "one
system-level protocol", then it should be a small step to using
certificates correctly. If legacy is important, they use the application
level AUTH commands over SSL. If you are doing something new, use

..Christopher Allen                  Consensus Development Corporation..
..<>                 1563 Solano Avenue #355..
..                                             Berkeley, CA 94707-2116..
..Home of "SSL Plus:                      o510/559-1500  f510/559-1505..
..  Security Integration Suite(tm)" <>..

Received on Wednesday, 31 July 1996 21:22:30 UTC