[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Keyed-MD5, ITAR, and HTTP-NG

>At the moment, I'm thinking of making the mandatory schemes be Keyed MD5
>for authentication, and weakened RC4 with an IV for confidentiality, with
>the added stipulation being that the user must be informed when key
>weakening is being used. I may swap RC4 for DES; they're both public 
>domain, but RC4 is simpler. They're both shared key, but I don't make PK 
>stuff mandatory. 

The licensed version of RC4, or the software that was posted anonymously?

Do you really feel comfortable basing an IETF standard on that?  When
you use the term RC4 do you mean the real version or the posted one,
what will you do if they ever conflict?  Can you even use the name RC4
for the posted version?  It seems to me that RC4 means the RSA licensed
code, which presumably you wanted to avoid when you wrote no mandatory PK.

Where would you swap RC4 for DES?

I assume your added stipulation is a "should" not a "must" item.

How are you going to handle key management and naming?