- From: Eric Murray <ericm@lne.com>
- Date: Fri, 31 Jan 1997 09:59:33 -0800 (PST)
- To: rodney@sabletech.com (Rodney Thayer)
- Cc: ietf-tls@www10.w3.org
Rodney Thayer writes: > > There is an argument that says that TLS_NULL_WITH_NULL_NULL should > definitely be implemented in production TLS implementations. It is useful > for troubleshooting. Presumably such an implemenation would employ > warnings, blinking lights, sirens, loud warnings, extra user prompts, or > whatever it takes to ensure it was only used for testing. Yea. However in my experience writing two different SSL3 implementations it's the handshake that's the hardest part to get right. Getting the record-layer stuff correct is easy in comparison. In fact the way I've designed my SSLv3 code has required getting the record layer right before I can even get to the handshake stuff... I think that the TLS spec strongly encourages this type of design. So, I agree it'd be useful, but I don't think its useful enough to offset the possible security hole it opens. -- Eric Murray ericm@lne.com ericm@motorcycle.com http://www.lne.com/ericm PGP keyid:E03F65E5 fingerprint:50 B0 A2 4C 7D 86 FC 03 92 E8 AC E6 7E 27 29 AF
Received on Friday, 31 January 1997 13:00:16 UTC