Re: [TLS] Straw poll on TLS SRP status
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [TLS] Straw poll on TLS SRP status
Pasi.Eronen at nokia.com wrote on 5/24/07 13:33 +0300:
The question is: Do you support advancing draft-ietf-tls-srp as
Proposed Standard?
[ ] Yes.
[ ] I think Informational/Experimental is better.
[ ] I don't care about the status, just get it published.
[ ] Something else, please state:
[X] I think Informational/Experimental is better.
It's my technical opinion that adding new user-level authentication mechanisms
to the TLS layer is not a good idea in general. TLS APIs are already quite
complex and can be difficult to use. Client certificate authentication has
been there long enough that it's a known quantity how to dig the necessary
details out of the TLS layer for an application to consume, however more
traditional user-level authentication is a different beast. As GSSAPI and SASL
APIs have shown, designing general-purpose user-level authentication APIs is
very difficult, by itself tends to create APIs most people can't understand,
and it's not clear to me it's a good idea to add all that complexity to the
existing TLS APIs. I'd much rather keep user-level authentication as a
separate subsystem and promote channel bindings on the standards track instead.
What do others on the list think about this issue?
- Chris
_______________________________________________
TLS mailing list
TLS at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls
Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.
