W3C home > Mailing lists > Public > ietf-tls@w3.org > October to December 1996

Re: Closing on shared-key authentication

From: Marc VanHeyningen <marcvh@aventail.com>
Date: Fri, 11 Oct 1996 15:34:13 -0700
To: Tom Weinstein <tomw@netscape.com>
cc: "'ietf-tls@w3.org'" <ietf-tls@w3.org>
Message-ID: <23183.845073253@cosmo.aventail.com>
Tom Weinstein said:
> Marc VanHeyningen wrote:
> > True.  I'm clearly misunderstanding you then.  You said previously:
> > 
> >> There is no need to add a mechanism to TLS when all existing
> >> protocols already have a password mechanims.
> > 
> > I assumed the password mechanisms that you meant there were
> > cleartext ones, not more sophisticated ones based on
> > challenge-response or keyed hashes or anything else.  Was I wrong?
> Well, for example, HTTP has digest authentication.  POP3 and IMAP are
> adding similar mechanisms.  Yes, the telnet password mechanism is
> completely horrible, but there are protocols for which that is not true.

Yes, there are a few protocols which offer better shared-secret
authentication.  Not most, and certainly not "all," and even things
like HTTP digest auth are not widely supported or used.

> Yes, a lot of existing protocols have lousy password mechanisms.  But
> to integrate any sort of TLS password mechanism, you're going to have
> to change the protocol if for no other reason than to STOP sending the
> password in the clear.  If you're going to do that, why not just fix
> the protocol?

I don't understand this claim at all.
Most protocols that support passwords also support not having them,
and even if they don't you can just use a bogus one.
Received on Friday, 11 October 1996 18:38:08 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:17:12 UTC