There are a number of different requirements here, and a number of problems
that we're attempting to solve, and I haven't yet seen someone put them
together in a list so that the tradeoffs are easily established, especially
in the context of actually getting people to use the thing.
In the event we allow cleartext communications (not debating that here),
security for the nonce/session-id is an issue.
-=R
On Fri, Jul 20, 2012 at 9:56 AM, Poul-Henning Kamp <phk@phk.freebsd.dk>wrote:
> In message <CAP+FsNcWPw6j68Y9g9HfAWxZu-83W4p1cX0OTd4Fngky=
> PdvgA@mail.gmail.com>
> , Roberto Peon writes:
>
> >I don't want this to turn into TLS vs not TLS, just pointing out that
> >generating a shared nonce securely is something we already know how to do.
>
> It doesn't have to be secure, it doesn't even have to be unique, to
> serve the role I'm looking for, all I want is that the user-agent
> gives us a routeable id.
>
>
> --
> Poul-Henning Kamp | UNIX since Zilog Zeus 3.20
> phk@FreeBSD.ORG | TCP/IP since RFC 956
> FreeBSD committer | BSD since 4.3-tahoe
> Never attribute to malice what can adequately be explained by incompetence.
>