- From: EKR <ekr@terisa.com>
- Date: Tue, 08 Oct 1996 11:30:08 -0700
- To: ietf-tls@w3.org
A lot of the arguments against shared secret client authentication seem to be layering arguments. Specifically, the argument seems to be that shared secret style authentication properly belongs at the application layer. While I feel that this argument has some force in principle, it seems to me to be deeply problematic in this specific case, for a number of reasons: 1. The security services that TLS provides to the application layer are inadequate for this purpose. The obvious approach to layering protocols which require shared secret authentication over TLS is simply to pass the shared secret directly over the TLS channel, using TLS as TCP has always been used. However, in the common case, TLS application layer data is encrypted with a 40 bit keyspace, which means that that's all the protection provided for the shared secret. Consequently, we either have to accept this limitation or the application needs to provide it's own protection for the shared secret. 2. Forcing applications to provide their own security argues against the purpose of TLS. Much of the argument for TLS is that applications can then be largely security oblivious while still taking advantage of security services. While data confidentiality for the data on the channel is important, there is a lot of historical evidence that the primary security need for e.g. telnet is actually access control, not data confidentiality, and this is typically provided via a shared secret. If TLS can't serve this need in an adequate way, then securing them will require a lot more work than just layering them on top of TLS--at which point one might easily imagine providing an application specific protocol which would meet that application's precise security needs in a single package. 3. There are a large number of common internet protocols which require shared secret style authentication, including but not limited to telnet, the Berkeley r-protocols, NNTP under certain circumstances... So, we're going to be reinventing this wheel a lot of times. This still doesn't make it TLS's job, but it's hard to see who's job it is, then. 4. We've already violated this layering boundary. Public key style client authentication isn't really a necessary part of TLS service provision and could be easily handled at the application layer. This layering argument would be a lot more convincing if we hadn't already gone against it. -Ekr
Received on Tuesday, 8 October 1996 14:29:05 UTC