- From: Clifford Lynch <cliff@cni.org>
- Date: Mon, 14 Aug 2000 12:50:44 -0700
- To: www-zig@w3.org
just a couple of quick comments on this; i was not at the discussion at the recent ZIG and i'm just picking up on some recent comments on the list, so excuse me if this has already been hashed through. On the issue Bob W. raised, at least the way I think about it, encrypting specifc records or fields of records seems like it ought to be a function of the application. there's no reasonable way for z39.50 itself to decide what records or fields in records ought to be secure, and this ought to be up to the programs that use z39.50. ssl type security is really more complicated than just encryption. it also can carry authentication functions which are very useful -- there are certs passed around (required at the server end, optional at the client end, if i remember right). however, as i understand it (and i am not an expert in this area), the IETF has re-done SSL for general use (ie not just HTTP, but also SMTP and other protocols) via something called TLS (Transport layer security). This does not require the use of 2 ports, one for secure and one for unsecure, the way that HTTP/HTTPS does, at least as I understand it, and I think that the IETF thinking is to avoid 2 well-known ports for every protocol. I'd urge you to give a read through the RFCs on TLS before making any decision about best practices . Clifford
Received on Monday, 14 August 2000 15:49:16 UTC