Announcing Droplets
Mark S. Miller
markm@caplet.com
Wed, 29 Sep 1999 13:42:06 -0700
At 01:24 PM 9/29/99 , Tyler Close wrote:
> > If there is an adequate answer, then you are correct. If
> > there isn't, then
> > both of us were wrong.
>
>I believe I am correct. The SSL spec says very clearly that:
>
>One such encapsulated protocol, the SSL Handshake Protocol,
>allows the server and client to authenticate each other and
>to negotiate an encryption algorithm and cryptographic keys
>before the application protocol transmits or receives its
>first byte of data.
This means very little to me, other than as a statement of a goal. What is
an HTTPS conformant system actually supposed to *do* when asked to
dereference "https://www.fudco.com/blah.html"?
>This seems pretty clear to me. If it wasn't so, then any
>secure web site on the net could be spoofed.
This gives some reason for confidence that they are doing something with
some kind of reasonable properties, and they probably are. But until we
understand what, at least conceptually, we don't know what it means. If we
build on it, then we don't know what our resulting system means.
Cheers,
--MarkM