[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Closing on shared-key authentication
Tom Weinstein said:
> Marc VanHeyningen wrote:
> > True. I'm clearly misunderstanding you then. You said previously:
> >
> >> There is no need to add a mechanism to TLS when all existing
> >> protocols already have a password mechanims.
> >
> > I assumed the password mechanisms that you meant there were
> > cleartext ones, not more sophisticated ones based on
> > challenge-response or keyed hashes or anything else. Was I wrong?
>
> Well, for example, HTTP has digest authentication. POP3 and IMAP are
> adding similar mechanisms. Yes, the telnet password mechanism is
> completely horrible, but there are protocols for which that is not true.
Yes, there are a few protocols which offer better shared-secret
authentication. Not most, and certainly not "all," and even things
like HTTP digest auth are not widely supported or used.
> Yes, a lot of existing protocols have lousy password mechanisms. But
> to integrate any sort of TLS password mechanism, you're going to have
> to change the protocol if for no other reason than to STOP sending the
> password in the clear. If you're going to do that, why not just fix
> the protocol?
I don't understand this claim at all.
Most protocols that support passwords also support not having them,
and even if they don't you can just use a bogus one.