Re: No More Passwords In The Clear in HTTP!

Phillip M. Hallam-Baker (hallam@dxal18.cern.ch)
Tue, 10 Jan 1995 20:24:54 +0100

In article <9DBE@cernvm.cern.ch> you write:

|> Nope, nothing says that SSL and SHTTP can't be implemented using RSAREF,
|>the free version of TIPEM, and K5 is fairly easy to implement. SHTTP and
|>SSL will both be in the emacs-w3 browser within a few months (weeks ?:)

Wel actually there is a good use for the symettic and digest key schemes in any
system, RSA is very slow, far too slow for use on every single transaction.
That is why Alan and myself have both got schemes to minimise the number of
RSA operations.

RSAref cannot be used to implement SSL and may not allow S-HTTP to be done in
its entirety, the problem is that in RSAref you do not have functions
RSA-encrypt(x) and DES-encrypt(x) but have them lumped together as
RSA-encrypt(DES-encrypt(x)), well thats not quite what the problem is but
it gives you the idea, RSAref is not an all singing and dancing object, there
are some carefully thought out gotchas to stop you using it for certain
purposes. This may be different in RSAref3 should it exist. I have only RSAref2,
living as I do in the free world.

SSL uses RC4 which is "secret" anyone wanting a copy can get one from a site in
Italy however :-)

Another point is that we really do need an exportable authentication scheme.
Even if it is of limited security. Actually Public key does not provide more
security at the theoretic level, its just easier to provide security in
practical situations.

--
Phillip M. Hallam-Baker

Not Speaking for anyone else.