In the recent discussion of the STLP "strawman", several issues have come up; here are my thoughts on a few. For what it's worth, I'm in the middle of implementing SSL 3.0 right now. - UDP and other unreliable transports: I don't think support for an unreliable protocol is appropriate for this effort. The current protocols (SSL & PCT) both provide protection against an opponent blocking traffic; this can be detected. In SSL 3.0, truncation attacks can be detected. Using an unreliable underlying transport makes it impossible to provide protection against this without essentially creating a stream transport on top of it. I think the standard we create should provide a certain set of security features which are provided by all implementations of the standard, and that protection against these "interruption" attacks should be a part of it. However, we should think about an unreliable transport standard which would leverage its cipher negotiation and authentication off of the stream protocol. - Tim Dierks Tim Dierks -- timd@consensus.com -- www.consensus.com Head of Thing-u-ma-jig Engineering, Consensus DevelopmentReceived on Thursday, 25 April 1996 22:50:12 UTC
This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:17:11 UTC