STLP "implementation comments" from Phil Karlton on 1996-04-24 (ietf-tls@w3.org from April to June 1996)

From: Phil Karlton <karlton@netscape.com>
Date: Wed, 24 Apr 1996 09:52:50 -0700
To: ietf-tls@w3.org
Message-Id: <317E5C62.2781@netscape.com>
Some of the comments in the STLP draft are misdirected and have confused
at least one implementor of SSL 3. The responses below are only here to
remove confusion about the SSL spec. No inference should be made about
agreement or disagreement with any other part of the STLP spec or the
implementation comments.

> SSLv3 Implementation Comments
> 
> The following non-comprehensive list is derived from implementation
> experience with SSL Version 3 published as an Internet Draft in March
> 1996. Its intent is to suggest modifications to the base protocol
> rather than to specifically critique SSL Version 3. 
> 
> (1) There is no significant implementation cost for separate
> negotiation of the message digest algorithm and the bulk cypher.
> In fact, the code could be better if they were separate; instead
> of one large table with a lot of repetition between entries there
> would be two small tables with no repetition.

There is no API or implementation implied by the SSL 3 spec. In fact,
the Netscape implementation is done with mutliple small tables. 

> (2) Don't use post-compressed, post-hashed, post-encrypted,
> post-enveloped data for the final handshake digest. Implementation
> is painful. Using the original cleartext, or alternatively, the
> compressedtext, makes for a cleaner layer structure in the
> implementation.

The handshake hashes are done with the plaintext input of the handshake
data. A straightforward implementation is possible without any layering
violations.

> (4) Provision for a uniform message header for all types of messages
> is a very good thing. At any time in the process it should be
> possible to differentiate control from client data.

Since there are 4 sub-protocols on top of the SSL record layer
(application data, alerts, handshake, change cipher specs) it is already
possible to the differentiation.
 
> (7) Greater symmetry would be valuable from an implementation point
> of view. If a given piece of data is being exchanged, it should be
> the same whether the server or the client is supplying it (there
> should not be two different message formats for supplying a
> certificate). Right now, implementing the server and implementing
> the client are almost unrelated tasks because the protocol is so
> asymmetrical.

The final SSL 3.0 protocol was influenced by its implementation. Much
sharing is possible betweent the messages dealt with by the client and
server. (For instance, The Certificate message is the same independent
of direction.) Many messages contain common sub-records.

> (8) MD2 and MD4 need to be phased out owing to the detection of a
> security problem. SHA is recommended. 

SSL 3.0 does not use MD2 or MD4.

PK
--
Philip L. Karlton		karlton@netscape.com
Principal Curmudgeon		http://home.netscape.com/people/karlton
Netscape Communications

     They that can give up essential liberty to obtain a little
     temporary safety deserve neither liberty nor safety.
		- Benjamin Franklin
Received on Wednesday, 24 April 1996 12:52:53 UTC