Re: SSL Tunneling; Informational RFC; Last call?

Ari Luotonen <> writes:

>I would like to issue a Last Call for the SSL Tunneling spec (included
>below), in order to move it into the Informational RFC state.  The
>spec has remained virtually unchanged for two I-D rounds (current
>draft-luotonen-ssl-tunneling-03.txt expires on 9/26/97), so I believe
>there is consensus and it accurately describes the current behaviour.

I see a few problems, but none that I'd call show-stoppers:

   1) The title is (as implied in the abstract) deceptive, as there is
      no SSL sensitivity anywhere in the protocol.  The I-D is really a
      specification for bytestreams-over-HTTP.

   2) The Security Considerations section downplays the issues of #1,
      implying that what will run across this is SSL-secured HTTP.
      Some space should be given to considerations of generic bytestreams
      as well.  It might even make sense to suggest that the server
      refuse connections to certain ports (e.g. 25, to prevent spamming).

   3) The two Internet Drafts cited are outdated and no longer available.
      Is there a published specification of SSL these days, or are we
      just supposed to search the Netscape home site?

Ross Patterson
Sterling Software, Inc.
VM Software Division

Received on Monday, 15 September 1997 13:53:48 UTC