- From: Keith Moore <moore@cs.utk.edu>
- Date: Thu, 14 Jun 2007 16:19:20 -0400
- To: "tom.petch" <cfinss@dial.pipex.com>
- CC: Adrien de Croy <adrien@qbik.com>, Apps Discuss <discuss@apps.ietf.org>, ietf-http-wg@w3.org
>> how exactly does sending TLS credentials involve ferreting around in the >> depths of a network stack? >> > > It doesn't:-) Those responsible for the creation and maintenance of security > credentials - which I see as the major ongoing work of security - prefer to do > at an application level, using appropriate databases, which are > somewhat removed from the lower layers in which TLS sits. So TLS has a > different set of credentials or none, which is the problem that channel binding > overcomes. maybe what I think of as "application level" is different than how you think of this term, but I've never heard of a client application that uses TLS where TLS wasn't being called by the application, and where the application wasn't in a position to supply credentials via TLS to the server. I'm not trying to be picky here. Rather I think there's probably an important principle here that needs to be teased out. Keith
Received on Thursday, 14 June 2007 20:43:04 UTC