Re: Digest Authentication, Netscape, and Microsoft

Scott Lawrence (lawrence@agranat.com)
Thu, 17 Apr 1997 12:01:45 -0400

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Jim Gettys: "RE: 1xx Clarification"
Previous message: Kolics Bertold, University of Veszprem: "Re: Issues-list item "CACHING-CGI""
In reply to: Ari Luotonen: "Re: Digest Authentication, Netscape, and Microsoft"

>>>>> "AL" == Ari Luotonen <luotonen@netscape.com> writes:

AL> SSL does allow a null-cipher -- in Netscape Servers it's enabled via
AL> choice "No encryption, only MD5 message authentication".  This
AL> provides certificate based authentication and message integrity on
AL> HTTP data, but the data is not encrypted, so there's minimal overhead.

  It is not nearly as minimal as 2069 - in order use even a null
  cipher, I must be able to process a certificate.  For a good many
  systems, this is too costly (in code to do public key certificate
  handling, and licensing of that technology) and not justified by the
  product requirements.  I don't want to do RSA code in an ethernet
  repeater or a web coffeepot (and only one of those is a frivolous
  example).

  Certificate based security is wonderfull, and I fully support its
  wide use in the Internet and incorporation into all sorts of
  standards, but it is _not_ a replacement for simpler schemes which
  have different requirements.

--
Scott Lawrence           EmWeb Embedded Server       <lawrence@agranat.com>
Agranat Systems, Inc.        Engineering            http://www.agranat.com/

Next message: Jim Gettys: "RE: 1xx Clarification"
Previous message: Kolics Bertold, University of Veszprem: "Re: Issues-list item "CACHING-CGI""
In reply to: Ari Luotonen: "Re: Digest Authentication, Netscape, and Microsoft"