- From: Daniel F. Sullivan Jr. <dsulliva@mail.bcpl.lib.md.us>
- Date: Thu, 07 Nov 1996 23:21:48 +0000
- To: David Brownell - JavaSoft <david.brownell@Eng.Sun.COM>
- Cc: ietf-tls@w3.org, ekr@terisa.com
David Brownell - JavaSoft wrote: > > > A lot of the arguments against shared secret client authentication > > seem to be layering arguments. Specifically, the argument seems to > > be that shared secret style authentication properly belongs at the > > application layer. > > I may be the first person to have mentioned the specific issue of a > layering violation, and I'll clarify a misunderstanding here. My issue > had nothing to do with using shared secrets. (I can't speak for the > particular issues anyone else may have intended.) > > My issue was related to the specific proposal made by Microsoft, which > would force specific application level issues, related to the languages > and character sets used by applications (and in fact whether the secret > is directly known to a user or not, etc), into the transport layer > security protocol. (Resolve that issue and there were still a bunch of > other issues ... ) > > In no way did I say that "shared secrets" in general are bad to include > in a transport level, or contrariwise that "public keys" are bad. One > only needs to look at GSS-API for an example of some existing practice, > already deemed reasonable by the IETF. It supports both schemes. > > If folk want shared secret authentication, I suggest looking at the > work already done by the GSS-API working group; it's supported Kerberos > for a long time, and evidently now supports some public key flavors. > > - Dave unsubscribe
Received on Tuesday, 8 October 1996 19:22:35 UTC