W3C home > Mailing lists > Public > ietf-tls@w3.org > October to December 1996

Re: Closing on shared-key authentication

From: Jeff Williams <jwkckid1@ix.netcom.com>
Date: Fri, 11 Oct 1996 20:55:32 -0500
Message-Id: <>
To: Tom Weinstein <tomw@netscape.com>
Cc: ietf-tls@w3.org

  Please read below your comments.

At 04:11 PM 10/11/96 -0700, you wrote:
>Jeff Williams wrote:
>> At 11:06 AM 10/11/96 -0700, you wrote:
>>> The main distinction I've heard between password authentication and
>>> public key crypto authentication is that a password can be carried
>>> in your head.  If you're using a floppy or other hardware token to
>>> transport your password, why not just use it to transport your
>>> private key?
>>   Yes this is definatly a acceptable approach.  I would think this
>> could also be done by pulling it from the CA as well without the need
>> of any hardware token as well.  Had you thought about that
>> possibility?
>Surely you aren't proposing that the CA would have your private key?

  Oh no, of course not.
>>> I agree with you that 56 bits is a very small step, and provides only
>>> slightly more security than 40.  However, it does indicate that times
>>> may be changing and we should not view current US export policy as
>>> set in stone.
>>   This is still not acceptable in my mind.  I do understand the
>> problems with US export policy and the concerns with security
>> associated with it.  I have to believe that we in the industry or
>> private sector need to lead here however, not follow.  Without at
>> least 128 bit, we are not really providing for our own protection in
>> an adaquate manner.
>Of course it's not acceptable.  It won't be acceptable until there are
>no restrictions on crypto whatsoever.  Just because the current
>political climate in the US imposes certain restrictions does not mean
>that we should enshrine them in an IETF standard.

  Ok, I guess from previous comments there seemed to be some latitude expressed.
I believe that sometimes industry must lead government policies.  It is clear
that some political work is needed here.
>>> The IETF is an international standards organization.  Should we
>>> design our protocols to conform to US policy?  French policy? 
>>> Japanese policy?  I think not.  We should design TLS to be as secure
>>> as possible.
>>   Exactly!  I think that we need to get input from all nations and ask
>> for and include their input as a intragle part of design.  That is
>> however where it get's a bit tricky.  I think that possibly a "Joint
>> Lab" for just such a process needs some thought here.  What do you
>> think?  That way providing for all nations concerns will be addressed
>> and TLS would evolve into being as secure as possible.
>We should construct a protocol that is secure.  As an international
>standard, we should not worry too much about anything any one country
>does.  In France, cryptography is illegal.  What do you suggest we do?

  Right!  Not any ONE country.  BUt my suggestion is a colabrative effort
that would need to be orginized by all currently involved at the Corp.
level and a joint lab development facility be set up with other countries 
corp experts participatiing.  What do you think?


>You should only break rules of style if you can    | Tom Weinstein
>coherently explain what you gain by so doing.      | tomw@netscape.com
Jeffrey A. Williams
SR.Internet Network Eng. 
CEO., IEG., INC.,  Representing PDS .Ltd.
Web: http://www.pds-link.com 
Phone: 214-793-7445 (Direct Line)
Director of Network Eng. and Development IEG. INC.
Received on Friday, 11 October 1996 22:20:41 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:17:12 UTC