RE: Digest mess

If the current set of ciphersuites are not suitable, we
could always register a new ciphersuite and write a
profile for using HTTP w/TLS that references how 
implementations should minimally interoperate with
a set of ciphersuites.

Basically, I agree with Larry  M. in that the specs
are basically done and we shouldn't cry over spilled
milk. Its just bad timing that we couldn't try and use
TLS now that its here.

Randy


> -----Original Message-----
> From:	Paul Leach [SMTP:paulle@microsoft.com]
> Sent:	Wednesday, December 17, 1997 10:54 AM
> To:	Phillip M. Hallam-Baker; 'Randy Turner'
> Cc:	rlgray@us.ibm.com; HTTP Working Group
> Subject:	RE: Digest mess
> 
> Damn Exchange! It messed up the indenting when I cut and pasted... and
> hence
> you can't tell what Randy said and what I said. See below to correct
> that:
> 
> > ----------
> > From: 	Paul Leach
> > Sent: 	Wednesday, December 17, 1997 10:42 AM
> > To: 	Phillip M. Hallam-Baker; 'Randy Turner'
> > Cc: 	rlgray@us.ibm.com; HTTP Working Group
> > Subject: 	RE: Digest mess
> > 
> > 
> This is what Randy said:
> 
> > > ----------
> > > From: 	Randy Turner[SMTP:rturner@sharplabs.com]
> > > Sent: 	Wednesday, December 17, 1997 12:08 AM
> > > 
> > > If we're going to adequately address security,
> > > I would like to see it solved more
> > > robustly. Transport Layer Security (TLS)
> > > seems to address most, if not all, security
> > > requirements of most applications using HTTP.
> > 
> > 
> This was my reply:
> > > 
> > > Sure you can use SSL/TLS for all Web security -- and you can use
> atom
> > > bombs to kill ants, too.
> > > 
> > > There is no way to use TLS w/o encryption; and encryption is
> expensive
> > and
> > > often not needed.
> > > 
> > > There is no way to use TLS for client authentication without
> client
> > > certificates. Getting everyone to have a certificate is
> non-trivial,
> > > whereas everyone has passwords.
> > > 
> > Paul
> > 
> >

Received on Wednesday, 17 December 1997 12:00:34 UTC