W3C home > Mailing lists > Public > ietf-tls@w3.org > April to June 1996

RE: STLP and proposal

From: Dan Simon <dansimon@microsoft.com>
Date: Tue, 23 Apr 1996 13:44:19 -0700
Message-Id: <c=US%a=_%p=msft%l=RED-92-MSG-960423204419Z-23495@tide21.microsoft.com>
To: "'ietf-tls@w3.org'" <ietf-tls@w3.org>
>
>This is in response to the mailings and press announcements exchanged
>regarding the Microsoft proposed modifications to the SSL 3.0
>specifications -- apparently referred to in the industry as "STLP".
>
Taher addresses only two technical points:  datagram support and support
for pre-encrypted data.  The former, while certainly not the *main*
function for a TLS protocol, is useful for such purposes as sending
out-of-band data, and for protocols like PPTP, which establish a TCP
connection for control messages but use IP for bulk data transmission. 
Taher claims that the mechanism proposed for the latter (pre-encrypted
data) "breaks" the protocol, but I don't see that it poses any security
(or other) problems.  (If it does, I would certainly like to see the
details.)  In the absence of such problems, I believe that support for
pre-encrypted data would be a useful efficiency feature of the protocol.
 (I might add that there are most probably other ways of implementing
the feature safely, if use of the "change cipher spec" message is
unworkable.)

There are a number of other technical issues raised by the STLP document
that I believe merit consideration.  The most salient is the possibility
of revamping the handshake protocol flow to make it more flexible,
symmetric and efficient.  Another is that the negotiation of
authentication options can be made more flexible and explicit by
including, for example, certificate types and the option of
password-based authentication.  (This latter topic has already been
raised by David Kemp, who opposes the inclusion of the password option,
and has also commented on some of the other technical issues; I'll
respond to his points as soon as I can.)

				Daniel Simon
				Cryptographer, Microsoft Corp.
				dansimon@microsoft.com

>
Received on Tuesday, 23 April 1996 16:44:33 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:34:46 EDT