[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Comments on CRACK



Hi Dan,

You raise a security concern regarding the option of using a group/NULL shared
secret in XAUTH.
The security this option delivers is lacking.
The way I see it there are two options:
1. Don't implement this option.
2. Get the consensus of the working group to remove this option all together from
the XAuth draft.
I support the second option.
This, however, does not constitute a good enough reason to come up with a second
draft that tries to solve the same problem in a different method.

Tamir.