Netscape's use of SSL

Tyler Close tjclose@yahoo.com
Fri, 21 Jan 2000 22:57:18 -0500 

I think these misgivings come from not accepting what SLL provides and
doesn't provide.

In the typical HTTPS use, SSL authenticates the server to the client
and allows the server to send data on a communication channel that is
acceptable to the client.

This may seem like very limited functionality, but from my perspective
it is all that is needed and nothing more.

Both of your pit-falls result from attributing authority to requests
sent over the agreed communications channel (the session). I don't
think SSL provides for such attribution of authority. The channel is
just a channel, not an authorization.

>From the server's perspective, it does not care how a request got to
it, just that the request is properly addressed. In a Droplets
application, http://www.waterken.com/Droplet/, this means that the
request has been addressed to an existing object (ie: that the Swiss
number in the URL maps to an object on the server). The server doesn't
care if the client used the negotiated channel or not. The server just
has to constrain itself to only replying on the negotiated channel.

To map this into your analogy, a bogus message would never get to the
ambassador because the clerk found that the message was not addressed
to any of the ambassadors in the embassy. If the ambassador does
receive a message, she knows that it must have come from someone with
the authority to send it.

Tyler Close, Founder Waterken Inc.
tyler@waterken.com
A35E 0621 44AD B616 DE29  F8DF 7B4C E859 71AB 47C5


> -----Original Message-----
> From: owner-e-lang@eros-os.org [mailto:owner-e-lang@eros-os.org]On
> Behalf Of Norman Hardy
> Sent: Thursday, January 20, 2000 9:01 PM
> To: e-lang@eros-os.org; Ben Laurie
> Cc: frantz@netcom.com; markm@caplet.com
> Subject: Re: Netscape's use of SSL
>
>
> I have been multiprocessing my reply to the last entry on
> this topic for a
> few weeks. I now have a few notes at
> <http://www.mediacity.com/~norm/SSL/SSL2.html> that I think
> I did not say
> clearly or coherently before.
> Norman Hardy  <http://www.mediacity.com/~norm>
>


__________________________________________________
Do You Yahoo!?
Talk to your friends online with Yahoo! Messenger.
http://im.yahoo.com