- From: Adam Shostack <adam@homeport.org>
- Date: Thu, 6 Feb 1997 07:42:37 -0500 (EST)
- To: chk@gnu.ai.mit.edu (Christian Kuhtz)
- Cc: marks@thawte.com, chk@gnu.ai.mit.edu, ChristopherA@consensus.com, tjh@mincom.com, ietf-tls@w3.org, ssl-talk@netscape.com
Christian Kuhtz wrote: | In essence, we need something that just simply presents a generic adapter | piece for SSL service in a connection negotiation. I have not had | much time to look at the FTP spec, and frankly, don't have the | pointer anymore. But it can't be that hard and we *have* to do it. A generic adapter piece like portmapper? The problem with portmapper (and family) is that it makes packet filtering to exclude protocols very difficult. That requires installing security configuration tools on every machine on your network that offers any service over TLS. I don't believe that there are, or will in the near future be, tool to effectively manage such groupings of connections. On another part of the thread, standardizing on 'non-reserved' ports allows daemon mode implementations to be run as a user without being called from inetd. If http worked on 8000, then there would be fewer web servers attempting to run as root, and that would be a security win. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume
Received on Thursday, 6 February 1997 07:45:44 UTC