- From: David P. Jablon <dpj@world.std.com>
- Date: Thu, 06 Feb 1997 18:52:07 -0500
- To: ietf-tls@w3.org
Earlier threads on this list seem to have focused debate on weak methods for password/passphrase/shared-secret authentication. Methods that are immune to unconstrained dictionary attack have been around since 1992, from Bellovin & Merritt's EKE family of protocols, to the SPEKE method developed by myself. I find it curious that the debate has settled down upon demonstrably weaker alternatives, as in the current drafts. I would suggest that the passauth-00.txt "Addition of Shared Key Authentication" document be modified to use strong password authentication. Presenting weak password authentication as an alternative to strong public-key methods seems sloppy. I really prefer the combination of strong public-key AND strong memorizable passwords, as two independent factors for authentication, but that's probably asking for a bit much at this point. ------------------------------------ David P. Jablon Integrity Sciences, Inc. Westboro, MA Tel: +1 508 898 9024 http://world.std.com/~dpj/ E-mail: dpj@world.std.com
Received on Thursday, 6 February 1997 18:51:03 UTC