> Protocols that offer increased complexity but no gain in security or
> efficiency over other standards-track efforts, but are in use today, are
> IMHO excellent candidates for Informational publication.
>
> Not for the standards track.
I think the point of this debate is whether or not there is added
strength to the encryption. And so far the opinions have been
divergent. If 3DES is a better PRNG than DES then it is stronger.
As we point out in the Drafts, the telnet encryption stream mechanism
is susceptible to attacks. We know that. We have addressed it in
various ways. Unfortunately, the Telnet AUTH option implementations
for Kerberos 4, Kerberos 5, and Secure Remote Password all rely on the
Telnet Encryption option for privacy. I don't think it is appropriate
to send Telnet Auth to Proposed Standard with its reliance on an
option that is Informational. Hence, the desire for all of these
drafts to go to Proposed Standard.
The TN3270 WG is working on a Telnet over TLS draft which has seen
several independent interoperable implementations for TN3270 and well
as more traditional telnet. My hope is to integrate Telnet over TLS
with Telnet AUTH so that Telnet AUTH may be used to provide mutual
authentication via a TLS using an ADH cipher. The one problem I have
run into is that the TLS Library vendors (other than OpenSSL) have
been very resistent to exporting the contents of the Finished messages
to the application so that they may be used in the Telnet Auth
negotiation to provide mutual authentication of the TLS. Once this
draft goes to Proposed Standard I would recommend that the Telnet
Encryption option be moved to Historical. But until that happens we
need it on the standards track.
These drafts have been floating around the net for almost eight years
with many implementations. Its time for them to move on.
- Jeff
Jeffrey Altman * Sr.Software Designer * Kermit-95 for Win32 and OS/2
The Kermit Project * Columbia University
612 West 115th St #716 * New York, NY * 10025
http://www.kermit-project.org/k95.html * [EMAIL PROTECTED]
