W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2007

Re: RFC2616 vs RFC2617, was: Straw-man charter for http-bis

From: Keith Moore <moore@cs.utk.edu>
Date: Thu, 14 Jun 2007 16:19:20 -0400
Message-ID: <4671A2C8.6050509@cs.utk.edu>
To: "tom.petch" <cfinss@dial.pipex.com>
CC: Adrien de Croy <adrien@qbik.com>, Apps Discuss <discuss@apps.ietf.org>, ietf-http-wg@w3.org


>> how exactly does sending TLS credentials involve ferreting around in the
>> depths of a network stack?
>>     
>
> It doesn't:-)  Those responsible for the creation and maintenance of security
> credentials - which I see as the major ongoing work of security - prefer to do
> at an application level, using appropriate databases, which are
> somewhat removed from the lower layers in which TLS sits.  So TLS has a
> different set of credentials or none, which is the problem that channel binding
> overcomes.
maybe what I think of as "application level" is different than how you
think of this term, but I've never heard of a client application that
uses TLS where TLS wasn't being called by the application, and where the
application wasn't in a position to supply credentials via TLS to the
server.

I'm not trying to be picky here.  Rather I think there's probably an
important principle here that needs to be teased out.

Keith
Received on Thursday, 14 June 2007 20:43:04 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:50:10 GMT