W3C home > Mailing lists > Public > ietf-tls@w3.org > October to December 1996

Re: Closing on shared-key authentication

From: Jeff Weinstein <jsw@netscape.com>
Date: Mon, 14 Oct 1996 23:35:29 -0700
Message-ID: <326330B1.5390@netscape.com>
To: Bennet Yee <bsy@cs.ucsd.edu>
CC: ietf-tls@w3.org
Bennet Yee wrote:
> I've been too busy, but felt this deserves a reply.
> Jeff Weinstein wrote regarding password mechanisms:
> >   Also note that these protocols (HTTP, POP, etc.) have to solve this
> > problem anyway, since they will generally not be used with TLS any
> > time soon.  Since they are already solving the problem, why do we
> > need to do it again?
> All programs must do I/O.  Since they all have to figure out how to do
> so, why provide them with operating systems or standard libraries to
> help them?

  There is a difference.  All these programs run on operating
systems.  They require the OS to run.  My point was that these
protocols MUST be able to do strong authentication in the
absence of TLS, therefore they are already solving this

  If we go down this road, we will have clients that want to
do https: with HTTP digest auth trying to communicate with
servers that want to do https: with TLS password auth and
no HTTP auth.  This will lead to interoperability hell, since
there will be two common methods for doing the same thing,
with no clear consensus.


Jeff Weinstein - Electronic Munitions Specialist
Netscape Communication Corporation
jsw@netscape.com - http://home.netscape.com/people/jsw
Any opinions expressed above are mine.
Received on Tuesday, 15 October 1996 02:38:30 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:17:12 UTC