Re: Closing on shared-key authentication

Tom Weinstein said:
> Marc VanHeyningen wrote:
> > True.  I'm clearly misunderstanding you then.  You said previously:
> > 
> >> There is no need to add a mechanism to TLS when all existing
> >> protocols already have a password mechanims.
> > 
> > I assumed the password mechanisms that you meant there were
> > cleartext ones, not more sophisticated ones based on
> > challenge-response or keyed hashes or anything else.  Was I wrong?
> Well, for example, HTTP has digest authentication.  POP3 and IMAP are
> adding similar mechanisms.  Yes, the telnet password mechanism is
> completely horrible, but there are protocols for which that is not true.

Yes, there are a few protocols which offer better shared-secret
authentication.  Not most, and certainly not "all," and even things
like HTTP digest auth are not widely supported or used.

> Yes, a lot of existing protocols have lousy password mechanisms.  But
> to integrate any sort of TLS password mechanism, you're going to have
> to change the protocol if for no other reason than to STOP sending the
> password in the clear.  If you're going to do that, why not just fix
> the protocol?

I don't understand this claim at all.
Most protocols that support passwords also support not having them,
and even if they don't you can just use a bogus one.

Received on Friday, 11 October 1996 18:38:08 UTC