e-lang: Re: Pluribus

Re: Pluribus Ben Laurie (ben@algroup.co.uk)
Sat, 06 Nov 1999 18:29:03 +0000

Messages sorted by: [ date ][ thread ][ subject ][ author ] [ Next ]
[ Previous ] In reply to: Mark S. Miller Next in thread: Bill Frantz

"Mark S. Miller" wrote:
>
> At 04:34 AM 11/6/99 , Ben Laurie wrote:
> >Following on from these comments, something I've been wondering for a
> >while is why not just use TLS?
>
> I believe the short answer is "wrong handshake". The longer answer is Bill's
> http://www.erights.org/to-be-sorted/SSLvsEComm.html

Hmmm ... well, he says that ID_SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA isn't supported, but OpenSSL supports it (and others with perfect forward secrecy).

As for the X509 point: "Our application is set up to accept a key pair "cert" as the top level CA. We distribute both the public and private keys to that CA as part of the application. When a vat goes to create an identity, it creates a certificate which associates the RegistrarID (the hash of the public key) as the X.509 destinguished name with the new public key for the identity. When it builds a SSL connection, it passes that certificate to the other"

In fact, you don't even need to distribute a CA cert - you just use a self-signed cert as your server cert.

I don't understand why "we will need to add certificate checking that ensures that the distinguished name is indeed the hash of the public key" is necessary at all. Who cares what the DN is if you have the key in your hand?

DSS is supported in OpenSSL (not in a standardised way, but that shouldn't be an issue, I'd say).

"Client Server vs. Peer to Peer" - it seems to me this is meaningless. Each peer acts as a client when it initiates a connection and a server what it receives one. SSL is used in the obvious way in each case.

As for PLS, surely this is orthogonal to SSL - a) it is erroneous to say "An SSL client always knows where to contact his server. It is port 443 on host foo.bar.com" - that is HTTPS not SSL, and anyway, where did we get foo.bar.com from? It is no more true than it would be if you substituted "TCP" for "SSL". b) SSL is for securely transporting data. It operates at effectively the same level as TCP. The question of PLS just isn't in scope.

In short, I find myself entirely unconvinced by the arguments. Are there any more?

BTW, why does the page only mention commercial SSL implementations, and not any of the free ones?

Cheers,

Ben.

--
http://www.apache-ssl.org/ben.html

"My grandfather once told me that there are two kinds of people: those
who work and those who take the credit. He told me to try to be in the
first group; there was less competition there."
     - Indira Gandhi

[ Next ]

[ Previous ] In reply to: Mark S. Miller Next in thread: Bill Frantz