Re: Closing on shared-key authentication

Bennet Yee wrote:
> I've been too busy, but felt this deserves a reply.
> Jeff Weinstein wrote regarding password mechanisms:
> >   Also note that these protocols (HTTP, POP, etc.) have to solve this
> > problem anyway, since they will generally not be used with TLS any
> > time soon.  Since they are already solving the problem, why do we
> > need to do it again?
> All programs must do I/O.  Since they all have to figure out how to do
> so, why provide them with operating systems or standard libraries to
> help them?

  There is a difference.  All these programs run on operating
systems.  They require the OS to run.  My point was that these
protocols MUST be able to do strong authentication in the
absence of TLS, therefore they are already solving this

  If we go down this road, we will have clients that want to
do https: with HTTP digest auth trying to communicate with
servers that want to do https: with TLS password auth and
no HTTP auth.  This will lead to interoperability hell, since
there will be two common methods for doing the same thing,
with no clear consensus.


Jeff Weinstein - Electronic Munitions Specialist
Netscape Communication Corporation -
Any opinions expressed above are mine.

Received on Tuesday, 15 October 1996 02:38:30 UTC