IPP> Re: PRO - Issue 32: Use of Basic & Digest Authentication

IPP> Re: PRO - Issue 32: Use of Basic & Digest Authentication

Keith Moore moore at cs.utk.edu
Fri Apr 23 14:43:48 EDT 1999


> Keith Moore wrote:
> > 
> >     Servers are REQUIRED to implement "TLS + Basic" OR Digest.
> > 
> >     Clients are REQUIRED to implement Digest.  If the client
> >     supports TLS then it is also REQUIRED to support "TLS + Basic".
> > 
> > Won't fly, because it doesn't ensure interoperability.
> 
> Requiring TLS in all clients will force non-compliant clients.

perhaps.  if that's really the case, then it would probably be
better for everyone to implement digest.  but I don't think 
that RSA licensing should be a barrier, because TLS doesn't
require RSA.
 
> Also, after looking at TLS more closely, TLS poses additional
> interoperability concerns (specifically, there are no required
> ciphers, only recommended ones.)  

Where do you get that idea?  From RFC 2266:

] 9. Mndatory Cipher Suites
] 
]    In the absence of an application profile standard specifying
]    otherwise, a TLS compliant application MUST implement the cipher
]    suite TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA.

 
> If a TLS-capable server and
> client can't find a common cipher to use, then they either have to
> send data in the clear or drop the connection, which either kills
> security or interoperability (take your pick)...

Every application that uses TLS has to either choose a mandatory-to-implement 
cipher or is implicitly (by referencing the TLS spec) required to implement
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA.

Keith



More information about the Ipp mailing list