- From: Scott Lawrence <lawrence@agranat.com>
- Date: Thu, 17 Apr 1997 12:01:45 -0400
- To: Ari Luotonen <luotonen@netscape.com>
- Cc: Hallam-Baker <hallam@ai.mit.edu>, dan@spyglass.com, http-wg@cuckoo.hpl.hp.com
>>>>> "AL" == Ari Luotonen <luotonen@netscape.com> writes: AL> SSL does allow a null-cipher -- in Netscape Servers it's enabled via AL> choice "No encryption, only MD5 message authentication". This AL> provides certificate based authentication and message integrity on AL> HTTP data, but the data is not encrypted, so there's minimal overhead. It is not nearly as minimal as 2069 - in order use even a null cipher, I must be able to process a certificate. For a good many systems, this is too costly (in code to do public key certificate handling, and licensing of that technology) and not justified by the product requirements. I don't want to do RSA code in an ethernet repeater or a web coffeepot (and only one of those is a frivolous example). Certificate based security is wonderfull, and I fully support its wide use in the Internet and incorporation into all sorts of standards, but it is _not_ a replacement for simpler schemes which have different requirements. -- Scott Lawrence EmWeb Embedded Server <lawrence@agranat.com> Agranat Systems, Inc. Engineering http://www.agranat.com/
Received on Thursday, 17 April 1997 09:05:02 UTC