Re: TWO WEEK LAST CALL: Regularizing Port Numbers for SSL. from Rodney Thayer on 1997-02-05 (ietf-tls@w3.org from January to March 1997)

From: Rodney Thayer <rodney@sabletech.com>
Date: Wed, 05 Feb 1997 07:08:30 -0500
To: ietf-tls@w3.org
Message-Id: <3.0.16.19970205070157.36cfdb7a@pop3.pn.com>

I disagree that it's easy to SSL-ize applications. I added SSL to <a
commercial browser> and it was massively painful because of the message
negotiation that has to happen up front; this interfered unfortunately with
the non-blocking I/O model the browser was using.

Of course, now that I have the scars from this experience I feel I
understand exactly what I need to do next time I design an application...


>Resent-Date: Wed, 5 Feb 1997 01:42:33 -0500
>Resent-Message-Id: <199702050642.BAA26289@www19.w3.org>
>From: Eric Murray <ericm@lne.com>
>Subject: Re: TWO WEEK LAST CALL: Regularizing Port Numbers for SSL.
>To: jaltman@columbia.edu
>Date: Tue, 4 Feb 1997 22:38:42 -0800 (PST)
>Cc: ChristopherA@consensus.com, ietf-tls@w3.org
>X-List-URL: http://lists.w3.org/Archives/Public/ietf-tls
>Resent-From: ietf-tls@w3.org
>X-Mailing-List: <ietf-tls@w3.org> archive/latest/545
>X-Loop: ietf-tls@w3.org
>Sender: ietf-tls-request@w3.org
>Resent-Sender: ietf-tls-request@w3.org
>
>Jeffrey Altman writes:
>> 
>> I have strong interest in adding TLS/SSL support for telnet, login, and
>> ftp.
>> 
>> The reality is that you need to have separate ports unless we want to
>> force a major re-write of applications.
>
>I used to agree with that, but when I tried it I decided that
>actually it's not that bad.  SSL-izing telnet and ftp took me
>about two days each, and most of that time was spent understanding
>the option negotiation.  Of course that doesn't mean that it'll
>work for everything, but I'd be willing to bet that there isn't
>another protocol with an option negotiaiton that's sicker than
>telnets. :-)
>
>There's an internet draft on SSL inside ftp (i.e. negotiating
>use of SSL in an FTP connection) written by Paul Ford-Hutchinson
>Tim Hudson and myself: draft-murray-auth-ftp-ssl-00.txt.
>
>> Of course, the preference would be to have TLS/SSL be implemented in
>> the protocol stack and be transparent to the application whenever
>> possible.
>
>For real security you still need to provide the user some indication
>what CipherType was negotiated.  Otherwise someone might connect
>at "40 bits" when their data needs more security that that.
>So it can't be 100% transparent.
>
>
>-- 
>Eric Murray  ericm@lne.com  ericm@motorcycle.com  http://www.lne.com/ericm
>PGP keyid:E03F65E5 fingerprint:50 B0 A2 4C 7D 86 FC 03  92 E8 AC E6 7E 27
29 AF
>
>
>
--------
Rodney Thayer <rodney@sabletech.com>
PGP Fingerprint: BB1B6428 409129AC  076B9DE1 4C250DD8

Received on Wednesday, 5 February 1997 07:10:50 UTC