On Friday, December 19, 2003 23:59:32 +0100 Niels Möller <nisse%lysator.liu.se@localhost> wrote:
Bill Sommerfeld <sommerfeld%east.sun.com@localhost> writes:After: A key exchange method uses "explicit server authentication" if the key exchange messages include a signature or other proof of the server's authenticity. A key exchange method uses "implicit server authentication" if, in order to prove its autenticity, the server also has to prove that it knows the shared secret K, by sending a message and a corresponding MAC which the client can verify. [1]^^^ This should be deleted. I referred to a footnote in my email, which nobody has commented so far.
I suppose I should comment explicitly. I have no objection to the intent of the proposed text. I guess I am a little concerned that the "implicit" definition is still not specific enough. It's not clear from that text whether "implicit" authentication means that the server sends a message and MAC _as part of_ the key exchange, or that its identity is not known unless/until it does so _after_ the key exchange. From context I know it is the latter. I might suggest...
... if, after key exchange, the server's identity(*) is not proven until it has demonstrated knowledge of the shared secret K, by sending a message and a corresponding MAC which the client can verify.
(*) identiy, authenticity, etc. Use whatever word you want here.