[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Keyed-MD5, ITAR, and HTTP-NG

>A keyed version of MD5 is the base authentication mechanism in IPSP
>and it has been heavily examined by a number of very good

Yes we reviewed it and said that it sucked.

Phil wrote a note to Ron and Ron sent in a series of comments. I suggested that
the idea of a keyed digest be stated as a separate concept from a hash function.
Functions of one variable are intrinsically different from functions of two 

The sequence of events I heard was that they asked Burt Kaliski for a suggestion,
he gave them one and they chose something different.

>Isn't this what the GSS-API is about?  Couldn't HTTP-NG just convey GSS
>"tokens", and do something about getting both sides to agree on which GSS
>"mechanism" is to be used, and on what Principals are involved?

GSS is often brought up on occasions like this. I have never seen an architectural
overview of what it is trying to achieve for me or how. When I am provided 
with a clear definition of what it is I hope to arrive at a clear explanation 
of why I'm not using it. Unfortunately the RFC process strips the rationale
part out of the specs.