W3C home > Mailing lists > Public > ietf-tls@w3.org > October to December 1996

Re: Additional suggested cleanups for TLS

From: Phil Karlton <karlton@netscape.com>
Date: Tue, 17 Dec 1996 11:17:25 -0800
Message-ID: <32B6F1C5.317@netscape.com>
To: "David P. Kemp" <dpkemp@missi.ncsc.mil>
CC: ietf-tls@w3.org
Be careful here. The reason SSL used only MD5 for the final phase of the
export case is that we were advised that it might be difficult to get a
CJ for products that used SHA in that step.

>  2) Mixing MD5 and SHA in a single ad-hoc function probably doesn't
>     buy anything because it is difficult to imagine a situation in
>     which SHA is broken but MD5 remains sound.

I have a pretty good imagination. :-)

Another issue concerns the MAC for the Finished messages. There was MUCH
discussion about whether they should be constructed like HMAC rather
than the ad hoc algorithm that was chosen. The tradeoffs are fairly

   pro) Using HMAC is more secure (probably).

   con) The server has to retain the entire handshake until it
	can compute the master_secret. The storage requirements
	for heavily used secure servers could be prohibitive.
	(Some information, e.g. the server's certificate chain
	is probably constant across all handshakes; and that
	helps a little.)

Philip L. Karlton		karlton@netscape.com
Principal Curmudgeon		http://www.netscape.com/people/karlton
Netscape Communications Corporation

    Everything should be made as simple as possible, but not simpler.
	-- Albert Einstein
Received on Tuesday, 17 December 1996 14:17:50 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:17:12 UTC