From: Rich Salz <rsalz@osf.org>
To: ses@tipper.oit.unc.edu
Message Hash: 0ef35876b945a849bcc945f602b739ff997489b90315d4c0e66054952298fb90
Message ID: <9510310330.AA08343@sulphur.osf.org>
Reply To: N/A
UTC Datetime: 1995-10-31 04:05:03 UTC
Raw Date: Tue, 31 Oct 1995 12:05:03 +0800
From: Rich Salz <rsalz@osf.org>
Date: Tue, 31 Oct 1995 12:05:03 +0800
To: ses@tipper.oit.unc.edu
Subject: Re: Keyed-MD5, ITAR, and HTTP-NG
Message-ID: <9510310330.AA08343@sulphur.osf.org>
MIME-Version: 1.0
Content-Type: text/plain
All your individual answers make sense.
Taken together, tho, they make HTTP-NG worrisome on the crypto front.
For example, it's probably a real bad idea to replace DES with something
commonly called RC4. The former has been under public scrutiny for years,
the later still has not formally emerged from the shroud of trade secret.
The keyed MD5 responses also don't inspire confidence.
With all due respect, I strongly encourage you to leave crypto out of
HTTP-NG for the time being. Wait to see what happens from the various
IPng security, SSL, S-HTTP, the W3C work, et cetera. Leave some "holes"
in the protocol, but don't tie anything down now. For better for the
Web to wait six to 12 months for HTTP-NG, then for mistakes to occur
in this area.
/r$
Return to October 1995
Return to “Rich Salz <rsalz@osf.org>”