- From: Jeff Williams <jwkckid1@ix.netcom.com>
- Date: Fri, 11 Oct 1996 20:55:32 -0500
- To: Tom Weinstein <tomw@netscape.com>
- Cc: ietf-tls@w3.org
Tom, Please read below your comments. At 04:11 PM 10/11/96 -0700, you wrote: >Jeff Williams wrote: >> >> At 11:06 AM 10/11/96 -0700, you wrote: >> >>> The main distinction I've heard between password authentication and >>> public key crypto authentication is that a password can be carried >>> in your head. If you're using a floppy or other hardware token to >>> transport your password, why not just use it to transport your >>> private key? >> >> Yes this is definatly a acceptable approach. I would think this >> could also be done by pulling it from the CA as well without the need >> of any hardware token as well. Had you thought about that >> possibility? > >Surely you aren't proposing that the CA would have your private key? Oh no, of course not. > >>> I agree with you that 56 bits is a very small step, and provides only >>> slightly more security than 40. However, it does indicate that times >>> may be changing and we should not view current US export policy as >>> set in stone. >> >> This is still not acceptable in my mind. I do understand the >> problems with US export policy and the concerns with security >> associated with it. I have to believe that we in the industry or >> private sector need to lead here however, not follow. Without at >> least 128 bit, we are not really providing for our own protection in >> an adaquate manner. > >Of course it's not acceptable. It won't be acceptable until there are >no restrictions on crypto whatsoever. Just because the current >political climate in the US imposes certain restrictions does not mean >that we should enshrine them in an IETF standard. Ok, I guess from previous comments there seemed to be some latitude expressed. I believe that sometimes industry must lead government policies. It is clear that some political work is needed here. > >>> The IETF is an international standards organization. Should we >>> design our protocols to conform to US policy? French policy? >>> Japanese policy? I think not. We should design TLS to be as secure >>> as possible. >> >> Exactly! I think that we need to get input from all nations and ask >> for and include their input as a intragle part of design. That is >> however where it get's a bit tricky. I think that possibly a "Joint >> Lab" for just such a process needs some thought here. What do you >> think? That way providing for all nations concerns will be addressed >> and TLS would evolve into being as secure as possible. > >We should construct a protocol that is secure. As an international >standard, we should not worry too much about anything any one country >does. In France, cryptography is illegal. What do you suggest we do? Right! Not any ONE country. BUt my suggestion is a colabrative effort that would need to be orginized by all currently involved at the Corp. level and a joint lab development facility be set up with other countries corp experts participatiing. What do you think? Reguards, > >-- >You should only break rules of style if you can | Tom Weinstein >coherently explain what you gain by so doing. | tomw@netscape.com > > Jeffrey A. Williams SR.Internet Network Eng. CEO., IEG., INC., Representing PDS .Ltd. Web: http://www.pds-link.com Phone: 214-793-7445 (Direct Line) Director of Network Eng. and Development IEG. INC.
Received on Friday, 11 October 1996 22:20:41 UTC