Keyed-MD5, ITAR, and HTTP-NG
Rich Salz
rsalz at osf.org
Mon Oct 30 20:05:03 PST 1995
All your individual answers make sense.
Taken together, tho, they make HTTP-NG worrisome on the crypto front.
For example, it's probably a real bad idea to replace DES with something
commonly called RC4. The former has been under public scrutiny for years,
the later still has not formally emerged from the shroud of trade secret.
The keyed MD5 responses also don't inspire confidence.
With all due respect, I strongly encourage you to leave crypto out of
HTTP-NG for the time being. Wait to see what happens from the various
IPng security, SSL, S-HTTP, the W3C work, et cetera. Leave some "holes"
in the protocol, but don't tie anything down now. For better for the
Web to wait six to 12 months for HTTP-NG, then for mistakes to occur
in this area.
/r$
More information about the cypherpunks-legacy
mailing list