Re: No More Passwords In The Clear in HTTP!
Tue, 10 Jan 1995 17:14:56 +0100

Jon E. Mittelhauser writes:
> At 01:06 AM 1/10/95 +0100, Daniel W. Connolly wrote:
> >This was something of an eye-opener. It's so simple. We should have
> >been doing this all along. There was never any reason to send
> >passwords in the clear (well, uuencoded), given HTTP's two-round-trip
> >authentication mechanism.
> >
> >Why is this nifty proposal tucked away in a corner? Why didn't I hear
> >about it before now? I thought I was pretty tuned in to this sort of
> >thing...
> This proposal utilizes RSA MD5 encryption. If you have this
> capability, why not go all the way to SSL (or SHTTP)? It would
> make much more sense.

Because its quick, lite-weight, and doesn't require a license from RSA.

> >For the longest time, I was under the impression that the web user
> >base would have two choices:
> >
> > 1. Use a free browser, and access only public information, or
> > send your password essentially in the clear to subscribe to
> > for-pay info.
> >
> > 2. Use a commercial browser that supports the security
> > options (SHTTP, SSL, kerberos...) supported by the services
> > you use.
> >
> >The reason I believed this was that real security is to expensive to
> >develop to give away (and it almost always requires a license of some
> >kind...).

Nope, nothing says that SSL and SHTTP can't be implemented using RSAREF,
the free version of TIPEM, and K5 is fairly easy to implement. SHTTP and
SSL will both be in the emacs-w3 browser within a few months (weeks ?:)

> I don't see how this proposal fixes this problem. It requires MD5 which
> will require a license from RSA. How does this not fall into your class
> 2 space? As long as I am in that space, I would much prefer a protocol
> which has been widely adopted by the financial community (e.g. SSL).

The MD5 algorithm does _NOT_ require a license from RSA. This is from
the md5-announcement.txt that came with the MD5 source I use in emacs:

---- begin excerpt
MD5 -- New Message Digest Algorithm
(Feel free to distribute further)

RSA Data Security is announcing MD5, a new message-digest algorithm.
Like MD4, this algorithm is being placed in the public domain for free
general use.

The MD5 algorithm is a strengthened version of MD4. It has four
rounds instead of three, and incorporates other revisions based on a
year's worth of collected comments on the MD4 algorithm. For example,
the input access patterns in rounds two and three have been improved,
and the rotation amounts have been optimized for maximum ``avalanche
effect.'' The additive constants have been made unique in each step,
and an additional dependence of each step on the previous one has been

---- end excerpt

Also, from all the headers in the source code:

---- begin excerpt
License to copy and use this software is granted provided that it
is identified as the "RSA Data Security, Inc. MD5 Message-Digest
Algorithm" in all material mentioning or referencing this software
or this function.

License is also granted to make and use derivative works provided
that such works are identified as "derived from the RSA Data
Security, Inc. MD5 Message-Digest Algorithm" in all material
mentioning or referencing the derived work.

---- end excerpt

No special-casing of free vs. commercial in there. Note 'public domain'

-Bill P.