Re: Draft WG charter from jg@zorch.w3.org on 1996-09-19 (w3c-dist-auth@w3.org from July to September 1996)

From: <jg@zorch.w3.org>
Date: Thu, 19 Sep 96 11:27:55 -0400
To: Jim Whitehead <ejw@ics.uci.edu>, w3c-dist-auth@w3.org
Cc: Alan Freier <freier@netscape.com>
Message-Id: <9609191527.AA28884@zorch.w3.org>

Alan is certainly right about what is going on around MD5 in the industry and
in research.

While Ron Rivest's (the R of RSA) reply to me earlier this week was for our 
purposes in HTTP Digest authentication plain MD5 was probably just fine, 
it is also clear that some people will not be comfortable with its use, 
as it has recently shown certain classes of vulnerabilities.  Each time
some vulnerability comes up, we don't want to have to always deal with
understanding its implications to HTTP work, but should leverage
other people's crypto work as much as possible.

In the area of what HTTP should  do semantically, we really don't 
want/need to take on all cryptographic problems too.  We need to get the 
HTTP documents to correctly interact with all the IP security work 
going on in the IETF, so that this problem doesn't come back to 
haunt HTTP work forever.

IPSEC is specifing a hash function for authentication
purposes; the way out of the morass is to organize things to
reference (as soon as possible; it may not currently trivial to do this instant
on process grounds for things like Digest, as the IPSEC documents themselves
are being revised and may not be far enough along for us to reference them to
meet IETF process standards for proposed standard that Digest is at) 
the IPSEC work on authentication functions, rather than get into it ourselves.

My understanding from a hallway conversation yesterday with Matt Thomas of
Digital (involved in the IPV6 work) is that
IPSEC is going with MD5-HMAC right now (whatever exactly that is; it is
a variation on the original MD5 algorithm), and I asked
Matt to get me information on who is shepherding
these IPSEC documents through the IETF process so I could understand
what was happening there to deal with IETF process issues (we have
much the same problem right now with Digest authentication, where
we specify which algorithm and are not in the midst of the people who
are expert in this area), to address Phil Karlton of Netscape's concerns
about Digest.

I'll be trying to sort this out some over the next couple days, if I can.
				- Jim

Received on Thursday, 19 September 1996 11:28:20 UTC