From: Rich Salz <rsalz@osf.org>
To: ses@tipper.oit.unc.edu
Message Hash: 5a1f098bd91f81c9ec0495267cb036bf3d97841dc7dae962c97c837bba07bf81
Message ID: <9510301954.AA07200@sulphur.osf.org>
Reply To: N/A
UTC Datetime: 1995-10-30 21:33:45 UTC
Raw Date: Tue, 31 Oct 1995 05:33:45 +0800
From: Rich Salz <rsalz@osf.org>
Date: Tue, 31 Oct 1995 05:33:45 +0800
To: ses@tipper.oit.unc.edu
Subject: Re: Keyed-MD5, ITAR, and HTTP-NG
Message-ID: <9510301954.AA07200@sulphur.osf.org>
MIME-Version: 1.0
Content-Type: text/plain
>At the moment, I'm thinking of making the mandatory schemes be Keyed MD5
>for authentication, and weakened RC4 with an IV for confidentiality, with
>the added stipulation being that the user must be informed when key
>weakening is being used. I may swap RC4 for DES; they're both public
>domain, but RC4 is simpler. They're both shared key, but I don't make PK
>stuff mandatory.
The licensed version of RC4, or the software that was posted anonymously?
Do you really feel comfortable basing an IETF standard on that? When
you use the term RC4 do you mean the real version or the posted one,
what will you do if they ever conflict? Can you even use the name RC4
for the posted version? It seems to me that RC4 means the RSA licensed
code, which presumably you wanted to avoid when you wrote no mandatory PK.
Where would you swap RC4 for DES?
I assume your added stipulation is a "should" not a "must" item.
How are you going to handle key management and naming?
/r$
Return to October 1995
Return to “Simon Spero <ses@tipper.oit.unc.edu>”