W3C home > Mailing lists > Public > www-zig@w3.org > August 2000

Securing Z39.50 & SSL

From: Clifford Lynch <cliff@cni.org>
Date: Mon, 14 Aug 2000 12:50:44 -0700
Message-Id: <p04320406b5bdfc653ccf@[32.100.71.172]>
To: www-zig@w3.org
just a couple of quick comments on this; i was not at the discussion 
at the recent ZIG and i'm just picking up on some recent comments on 
the list, so excuse me if this has already been hashed through.

On the issue Bob W. raised, at least the way I think about it, 
encrypting specifc records or fields of records seems like it ought 
to be a function of the application. there's no reasonable way for 
z39.50 itself to decide what records or fields in records ought to be 
secure, and this ought to be up to the programs that use z39.50.

ssl type security is really more complicated than just encryption. it 
also can carry authentication functions which are very useful -- 
there are certs passed around (required at the server end, optional 
at the client end, if i remember right). however, as i understand it 
(and i am not an expert in this area), the IETF has re-done SSL for 
general use (ie not just HTTP, but also SMTP and other protocols) via 
something called TLS (Transport layer security). This does not 
require the use of 2 ports, one for secure and one for unsecure, the 
way that HTTP/HTTPS does, at least as I understand it, and I think 
that the IETF thinking is to avoid 2 well-known ports for every 
protocol.  I'd urge you to give a read through the RFCs on TLS before 
making any decision about best practices .

Clifford
Received on Monday, 14 August 2000 15:49:16 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 23:10:25 UTC