From: Rich Salz <rsalz@osf.org>
Date: Tue, 31 Oct 1995 12:05:03 +0800
To: ses@tipper.oit.unc.edu
Subject: Re:  Keyed-MD5, ITAR, and HTTP-NG
Message-ID: <9510310330.AA08343@sulphur.osf.org>
MIME-Version: 1.0
Content-Type: text/plain


All your individual answers make sense.

Taken together, tho, they make HTTP-NG worrisome on the crypto front.

For example, it's probably a real bad idea to replace DES with something
commonly called RC4.  The former has been under public scrutiny for years,
the later still has not formally emerged from the shroud of trade secret.
The keyed MD5 responses also don't inspire confidence.

With all due respect, I strongly encourage you to leave crypto out of
HTTP-NG for the time being.  Wait to see what happens from the various
IPng security, SSL, S-HTTP, the W3C work, et cetera.  Leave some "holes"
in the protocol, but don't tie anything down now.  For better for the
Web to wait six to 12 months for HTTP-NG, then for mistakes to occur
in this area.
	/r$