IPP> SEC - TLS without PKI (Secure Remote Password)

IPP> SEC - TLS without PKI (Secure Remote Password)

McDonald, Ira imcdonald at sharplabs.com
Wed Mar 14 16:12:51 EST 2001


Hi folks,

Important new development that may cause TLS to be much
more widely deployed!

RFC 2945 - SRP Authentication and Key Exchange System
  (Sept 2000, IETF Proposed Standard)

draft-ietf-tls-srp-00.txt - Using SRP for TLS Authentication
  (5 February 2001, work-in-progress)

SRP (Secure Remote Password) allows all of our old-fashioned
username/password credentials to be used to establish strong
authentication WITHOUT use of PKI (public key infrastructure)
or Kerberos (the current options in TLS).

As those of you who follow security already know, PKI is
frighteningly expensive to deploy and poorly interoperable
across various commerical PKI products.

SRP may very well turn out to be the 'pixie dust' we need
to get IPP over HTTP over TLS implementations more widely
deployed.  Although this draft looks like a first draft (-00),
it's just the first time that the IETF TLS WG has officially
published it (based on previous individual contributions).
Expect this to move through the IETF process very quickly.
It could be the saving of TLS.

Cheers,
- Ira McDonald, consulting architect at Sharp and Xerox
  High North Inc

PS - Quite a few IETF WG's are now looking at SRP.



More information about the Ipp mailing list