- From: Marc VanHeyningen <marcvh@aventail.com>
- Date: Fri, 11 Oct 1996 11:39:07 -0700
- To: Tom Weinstein <tomw@netscape.com>
- cc: "'ietf-tls@w3.org'" <ietf-tls@w3.org>
> No, you should certainly do something more than just send the password > encrypted. You should avoid sending the password at all, encrypted or > otherwise. Some sort of challenge/response mechanism would be > appropriate, but you are protected from eavesdroppers if you encrypt > the data. True. I'm clearly misunderstanding you then. You said previously: >There is no need to add a mechanism >to TLS when all existing protocols already have a password mechanims. I assumed the password mechanisms that you meant there were cleartext ones, not more sophisticated ones based on challenge-response or keyed hashes or anything else. Was I wrong? I believe there is a need to add a mechanism to TLS because, while all existing protocols have password mechanisms, they're lousy ones. - Marc
Received on Friday, 11 October 1996 14:43:04 UTC