David Brownell - JavaSoft wrote: > > > A lot of the arguments against shared secret client authentication > > seem to be layering arguments. Specifically, the argument seems to > > be that shared secret style authentication properly belongs at the > > application layer. > > I may be the first person to have mentioned the specific issue of a > layering violation, and I'll clarify a misunderstanding here. My issue > had nothing to do with using shared secrets. (I can't speak for the > particular issues anyone else may have intended.) > > My issue was related to the specific proposal made by Microsoft, which > would force specific application level issues, related to the languages > and character sets used by applications (and in fact whether the secret > is directly known to a user or not, etc), into the transport layer > security protocol. (Resolve that issue and there were still a bunch of > other issues ... ) > > In no way did I say that "shared secrets" in general are bad to include > in a transport level, or contrariwise that "public keys" are bad. One > only needs to look at GSS-API for an example of some existing practice, > already deemed reasonable by the IETF. It supports both schemes. > > If folk want shared secret authentication, I suggest looking at the > work already done by the GSS-API working group; it's supported Kerberos > for a long time, and evidently now supports some public key flavors. > > - Dave unsubscribeReceived on Tuesday, 8 October 1996 19:22:35 UTC
This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:17:12 UTC