Re: Closing on shared-key authentication


  Please read below your comments.

At 04:11 PM 10/11/96 -0700, you wrote:
>Jeff Williams wrote:
>> At 11:06 AM 10/11/96 -0700, you wrote:
>>> The main distinction I've heard between password authentication and
>>> public key crypto authentication is that a password can be carried
>>> in your head.  If you're using a floppy or other hardware token to
>>> transport your password, why not just use it to transport your
>>> private key?
>>   Yes this is definatly a acceptable approach.  I would think this
>> could also be done by pulling it from the CA as well without the need
>> of any hardware token as well.  Had you thought about that
>> possibility?
>Surely you aren't proposing that the CA would have your private key?

  Oh no, of course not.
>>> I agree with you that 56 bits is a very small step, and provides only
>>> slightly more security than 40.  However, it does indicate that times
>>> may be changing and we should not view current US export policy as
>>> set in stone.
>>   This is still not acceptable in my mind.  I do understand the
>> problems with US export policy and the concerns with security
>> associated with it.  I have to believe that we in the industry or
>> private sector need to lead here however, not follow.  Without at
>> least 128 bit, we are not really providing for our own protection in
>> an adaquate manner.
>Of course it's not acceptable.  It won't be acceptable until there are
>no restrictions on crypto whatsoever.  Just because the current
>political climate in the US imposes certain restrictions does not mean
>that we should enshrine them in an IETF standard.

  Ok, I guess from previous comments there seemed to be some latitude expressed.
I believe that sometimes industry must lead government policies.  It is clear
that some political work is needed here.
>>> The IETF is an international standards organization.  Should we
>>> design our protocols to conform to US policy?  French policy? 
>>> Japanese policy?  I think not.  We should design TLS to be as secure
>>> as possible.
>>   Exactly!  I think that we need to get input from all nations and ask
>> for and include their input as a intragle part of design.  That is
>> however where it get's a bit tricky.  I think that possibly a "Joint
>> Lab" for just such a process needs some thought here.  What do you
>> think?  That way providing for all nations concerns will be addressed
>> and TLS would evolve into being as secure as possible.
>We should construct a protocol that is secure.  As an international
>standard, we should not worry too much about anything any one country
>does.  In France, cryptography is illegal.  What do you suggest we do?

  Right!  Not any ONE country.  BUt my suggestion is a colabrative effort
that would need to be orginized by all currently involved at the Corp.
level and a joint lab development facility be set up with other countries 
corp experts participatiing.  What do you think?


>You should only break rules of style if you can    | Tom Weinstein
>coherently explain what you gain by so doing.      |
Jeffrey A. Williams
SR.Internet Network Eng. 
CEO., IEG., INC.,  Representing PDS .Ltd.
Phone: 214-793-7445 (Direct Line)
Director of Network Eng. and Development IEG. INC.

Received on Friday, 11 October 1996 22:20:41 UTC