Sat, 06 Nov 1999 18:29:03 +0000
"Mark S. Miller" wrote:
> At 04:34 AM 11/6/99 , Ben Laurie wrote:
> >Following on from these comments, something I've been wondering for a
> >while is why not just use TLS?
> I believe the short answer is "wrong handshake". The longer answer is Bill's
Hmmm ... well, he says that ID_SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA isn't
supported, but OpenSSL supports it (and others with perfect forward
As for the X509 point: "Our application is set up to accept a key pair
"cert" as the top level CA. We distribute both the public and private
keys to that CA as part of the application. When a vat goes to create an
identity, it creates a certificate which associates the RegistrarID (the
hash of the public key) as the X.509 destinguished name with the new
public key for the identity. When it builds a SSL connection, it passes
that certificate to the other"
In fact, you don't even need to distribute a CA cert - you just use a
self-signed cert as your server cert.
I don't understand why "we will need to add certificate checking that
ensures that the distinguished name is indeed the hash of the public
key" is necessary at all. Who cares what the DN is if you have the key
in your hand?
DSS is supported in OpenSSL (not in a standardised way, but that
shouldn't be an issue, I'd say).
"Client Server vs. Peer to Peer" - it seems to me this is meaningless.
Each peer acts as a client when it initiates a connection and a server
what it receives one. SSL is used in the obvious way in each case.
As for PLS, surely this is orthogonal to SSL - a) it is erroneous to say
"An SSL client always knows where to contact his server. It is port 443
on host foo.bar.com" - that is HTTPS not SSL, and anyway, where did we
get foo.bar.com from? It is no more true than it would be if you
substituted "TCP" for "SSL". b) SSL is for securely transporting data.
It operates at effectively the same level as TCP. The question of PLS
just isn't in scope.
In short, I find myself entirely unconvinced by the arguments. Are there
BTW, why does the page only mention commercial SSL implementations, and
not any of the free ones?
"My grandfather once told me that there are two kinds of people: those
who work and those who take the credit. He told me to try to be in the
first group; there was less competition there."
- Indira Gandhi