1995-10-31 - Re: Keyed-MD5, ITAR, and HTTP-NG

Header Data

From: hallam@w3.org
To: cypherpunks@toad.com
Message Hash: 133f00c4af58cee6008dcde62da4c282111bf13ac684b3707b7d94fa2336687c
Message ID: <9510312015.AA00768@zorch.w3.org>
Reply To: <199510312331.SAA03949@jekyll.piermont.com>
UTC Datetime: 1995-10-31 21:45:06 UTC
Raw Date: Wed, 1 Nov 1995 05:45:06 +0800

Raw message

From: hallam@w3.org
Date: Wed, 1 Nov 1995 05:45:06 +0800
To: cypherpunks@toad.com
Subject: Re: Keyed-MD5, ITAR, and HTTP-NG
In-Reply-To: <199510312331.SAA03949@jekyll.piermont.com>
Message-ID: <9510312015.AA00768@zorch.w3.org>
MIME-Version: 1.0
Content-Type: text/plain



>A keyed version of MD5 is the base authentication mechanism in IPSP
>and it has been heavily examined by a number of very good
>cryptographers.

Yes we reviewed it and said that it sucked.

Phil wrote a note to Ron and Ron sent in a series of comments. I suggested that
the idea of a keyed digest be stated as a separate concept from a hash function.
Functions of one variable are intrinsically different from functions of two 
variables.

The sequence of events I heard was that they asked Burt Kaliski for a suggestion,
he gave them one and they chose something different.

	
>Isn't this what the GSS-API is about?  Couldn't HTTP-NG just convey GSS
>"tokens", and do something about getting both sides to agree on which GSS
>"mechanism" is to be used, and on what Principals are involved?

GSS is often brought up on occasions like this. I have never seen an architectural
overview of what it is trying to achieve for me or how. When I am provided 
with a clear definition of what it is I hope to arrive at a clear explanation 
of why I'm not using it. Unfortunately the RFC process strips the rationale
part out of the specs. 


		Phill






Thread