- From: Ross Patterson <Ross_Patterson@ns.reston.vmd.sterling.com>
- Date: Mon, 15 Sep 97 16:30:36 EDT
- To: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Ari Luotonen <luotonen@netscape.com> writes:
>I would like to issue a Last Call for the SSL Tunneling spec (included
>below), in order to move it into the Informational RFC state. The
>spec has remained virtually unchanged for two I-D rounds (current
>draft-luotonen-ssl-tunneling-03.txt expires on 9/26/97), so I believe
>there is consensus and it accurately describes the current behaviour.
I see a few problems, but none that I'd call show-stoppers:
1) The title is (as implied in the abstract) deceptive, as there is
no SSL sensitivity anywhere in the protocol. The I-D is really a
specification for bytestreams-over-HTTP.
2) The Security Considerations section downplays the issues of #1,
implying that what will run across this is SSL-secured HTTP.
Some space should be given to considerations of generic bytestreams
as well. It might even make sense to suggest that the server
refuse connections to certain ports (e.g. 25, to prevent spamming).
3) The two Internet Drafts cited are outdated and no longer available.
Is there a published specification of SSL these days, or are we
just supposed to search the Netscape home site?
Ross Patterson
Sterling Software, Inc.
VM Software Division
Received on Monday, 15 September 1997 13:53:48 UTC