- From: Marc VanHeyningen <marcvh@aventail.com>
- Date: Fri, 11 Oct 1996 15:34:13 -0700
- To: Tom Weinstein <tomw@netscape.com>
- cc: "'ietf-tls@w3.org'" <ietf-tls@w3.org>
Tom Weinstein said: > Marc VanHeyningen wrote: > > True. I'm clearly misunderstanding you then. You said previously: > > > >> There is no need to add a mechanism to TLS when all existing > >> protocols already have a password mechanims. > > > > I assumed the password mechanisms that you meant there were > > cleartext ones, not more sophisticated ones based on > > challenge-response or keyed hashes or anything else. Was I wrong? > > Well, for example, HTTP has digest authentication. POP3 and IMAP are > adding similar mechanisms. Yes, the telnet password mechanism is > completely horrible, but there are protocols for which that is not true. Yes, there are a few protocols which offer better shared-secret authentication. Not most, and certainly not "all," and even things like HTTP digest auth are not widely supported or used. > Yes, a lot of existing protocols have lousy password mechanisms. But > to integrate any sort of TLS password mechanism, you're going to have > to change the protocol if for no other reason than to STOP sending the > password in the clear. If you're going to do that, why not just fix > the protocol? I don't understand this claim at all. Most protocols that support passwords also support not having them, and even if they don't you can just use a bogus one.
Received on Friday, 11 October 1996 18:38:08 UTC