RE: [TLS] Comments on TLS identity protection
Peter Williams <home_pw@msn.com> Wed, 20 December 2006 15:29 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1Gx3OA-0002z5-Uw; Wed, 20 Dec 2006 10:29:50 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Gx3O9-0002yz-CH for tls@ietf.org; Wed, 20 Dec 2006 10:29:49 -0500
Received: from bay0-omc3-s34.bay0.hotmail.com ([65.54.246.234]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1Gx3O4-0005OB-Gn for tls@ietf.org; Wed, 20 Dec 2006 10:29:49 -0500
Received: from BAY103-W3 ([65.54.174.103]) by bay0-omc3-s34.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668); Wed, 20 Dec 2006 07:29:43 -0800
X-Originating-IP: [69.227.152.254]
X-Originating-Email: [home_pw@msn.com]
Message-ID: <BAY103-W38D3315D4055DB8DDE71D92CF0@phx.gbl>
From: Peter Williams <home_pw@msn.com>
To: pasi.eronen@nokia.com, badra@isima.fr
Subject: RE: [TLS] Comments on TLS identity protection
Date: Wed, 20 Dec 2006 07:29:43 -0800
MIME-Version: 1.0
X-OriginalArrivalTime: 20 Dec 2006 15:29:43.0813 (UTC) FILETIME=[AC795B50:01C7244B]
X-Spam-Score: 2.4 (++)
X-Scan-Signature: b8f3559805f7873076212d6f63ee803e
Cc: tls@ietf.org
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============1902250087=="
Errors-To: tls-bounces@lists.ietf.org
Netscape and Microsoft always took different approaches to https, and TLS. You can, too! For Netscape, they really never moved beyond writing a common client-side library, that smelled like a socket, but got managed like any winform or adminwebsite. The lib was always used to secure-enable an app [platform], versus be a protocol layer. And this was despite their excellent stack-architecture (as the patent shows!); and the MSFT-produced implementation of the platform even in winsock! For Microsoft, they contrasted Netscape's "application-centric platform making" by putting SSL and SSL CSPs into the OS platform, so it could be properly evaluated under CC like all the rest of the B1-grade OS security features that Windows NT was approaching at that point. For Netscape, FIPS-mode was really as far as they got with assurance doctrine; for Microsoft (MSFT UK in particular, and the UK eval labs), meeting assurance standards, architecturally and functionally, was the whole game. Evaluating the network component of a trusted commodity OS was not hard science, at that point. There was a enormous amount work done in this area, for NT 4.0, and then again for NT4 SP4. This is all junk Internet history. But, SSL has always been a very varied camp, as you would expect from something capable of being an Internet Standard. It has a momentum of its own, because of something architecturally "right". Kipp H (who I never met) and Tajer did something very special. It would not have made it to SSL3 without the Wienstiens, and their hypermedia orientation. Tim D and co, with SSLRef and those early VeriSign security audits! and the 2 nameless Australian breathren, of course! And, lets not forget the other Eric! Eric R.'s work with Alan Schiffman for DARPA were all part of the early argument that became the mainstay of NS vs MSFT, choosing between application vs OS/stack solutions for SPs. I still remember the first time I ever heard of SSL...in Eric's/Alan's lecture, launching shttp version dot-something, by compare and contrast! I dont recall if this was late 94, or 95; though it would not be hard to find out, given the "searchable record system" known as the Internet. This all seemed bizzare to the world I was looking at, which was all about repurposing NSA's TLSP , fathoming ongoing NLSP standards in ISOland, and figuring what all the legacy "weird" key management protocol stuff from the Motorola/BBN/GTE security groups was all about, and its (then) weird access control concept, via key management! And none of that would have mattered if the MSFT team (which I knew very well) had not been competing at the architectural level: on the the grounds of "platform-to-platform," "belief system" to "belief system" about what grandma really needs from a PC. IETF gave the standard the wrong name. As that benchmark of security argument, known as David Kemp, once erred: the "Session Layer Socket" protocol does X.... > To get widespread deployment, several TLS implementations would > have to be updated, e.g. Microsoft Schannel, OpenSSL, Mozilla NSS, > JSSE, GnuTLS, etc. Getting any change, no matter how "minimal", > to them is not easy.> > > > I think deployment-wise, double handshake has the advantage > > > that it's already specified and implemented.> > > > Any link to test the implementation, please?> > Pick your favorite TLS implementation! There are at least> couple of dozen of them (though probably not all of them> support renegotiation). > > Some of my favourites (which seem to support renegotiation)> are http://www.openssl.org/ and http://www.gnutls.org/ -- but no > doubt there are other ones that are equally good.> > Best regards,> Pasi> > _______________________________________________> TLS mailing list> TLS@lists.ietf.org> https://www1.ietf.org/mailman/listinfo/tls _________________________________________________________________ Try amazing new 3D maps http://maps.live.com/?wip=51
_______________________________________________ TLS mailing list TLS@lists.ietf.org https://www1.ietf.org/mailman/listinfo/tls
- [TLS] Comments on TLS identity protection Eric Rescorla
- Re: [TLS] Comments on TLS identity protection Eric Rescorla
- Re: [TLS] Comments on TLS identity protection Martin Rex
- Re: [TLS] Comments on TLS identity protection Martin Rex
- Re: [TLS] Comments on TLS identity protection badra
- Re: [TLS] Comments on TLS identity protection Eric Rescorla
- Re: [TLS] Comments on TLS identity protection Kyle Hamilton
- Re: [TLS] Comments on TLS identity protection Eric Rescorla
- Re: [TLS] Comments on TLS identity protection Martin Rex
- Re: [TLS] Comments on TLS identity protection badra
- RE: [TLS] Comments on TLS identity protection Peter Williams
- Re: [TLS] Comments on TLS identity protection Eric Rescorla
- RE: [TLS] Comments on TLS identity protection Peter Williams
- RE: [TLS] Comments on TLS identity protection Peter Williams
- Re: [TLS] Comments on TLS identity protection badra
- RE: [TLS] Comments on TLS identity protection Pasi.Eronen
- Re: [TLS] Comments on TLS identity protection badra
- RE: [TLS] Comments on TLS identity protection Pasi.Eronen
- Re: [TLS] Comments on TLS identity protection Bodo Moeller
- Re: [TLS] Comments on TLS identity protection badra
- RE: [TLS] Comments on TLS identity protection Pasi.Eronen
- Re: [TLS] Comments on TLS identity protection badra
- RE: [TLS] Comments on TLS identity protection Pasi.Eronen
- Re: [TLS] Comments on TLS identity protection Eric Rescorla
- RE: [TLS] Comments on TLS identity protection Peter Williams
- Re: [TLS] Comments on TLS identity protection badra
- Re: [TLS] Comments on TLS identity protection Eric Rescorla
- Re: [TLS] Comments on TLS identity protection badra
- Re: [TLS] Comments on TLS identity protection Martin Rex
- Re: [TLS] Comments on TLS identity protection Badra
- Re: [TLS] Comments on TLS identity protection Omirjan Batyrbaev
- Re: [TLS] Comments on TLS identity protection home_pw
- Re: [TLS] Comments on TLS identity protection home_pw
- Re: [TLS] Comments on TLS identity protection EKR
- Re: [TLS] Comments on TLS identity protection home_pw
- Re: [TLS] Comments on TLS identity protection home_pw
- Re: [TLS] Comments on TLS identity protection Martin Rex
- RE: [TLS] Comments on TLS identity protection Peter Williams
- Re: [TLS] Comments on TLS identity protection EKR
- Re: [TLS] Comments on TLS identity protection Martin Rex
- Re: [TLS] Comments on TLS identity protection home_pw
- Re: [TLS] Comments on TLS identity protection EKR
- Re: [TLS] Comments on TLS identity protection home_pw
- Re: [TLS] Comments on TLS identity protection EKR
- Re: [TLS] Comments on TLS identity protection home_pw