[525] in WWW Security List Archive
Apologies and Clarifications
daemon@ATHENA.MIT.EDU (Bryan J. Ischo)
Fri Mar 17 01:27:20 1995
Date: Thu, 16 Mar 1995 21:54:05 -0500 (EST)
From: "Bryan J. Ischo" <bi04+@andrew.cmu.edu>
To: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
Hi again. I'd like to offer public apologies to EIT for what seemed
like a badmouth of their product. As it turns out, the reason that the
Terisa library I was using did not work was due to an error in
transmission during the FTP. Terisa Systems, and in particular Eric
Rescorla, was extremely prompt in responding to my post to this list,
and providing me with a working library.
Furthermore, Terisa was able to provide more documentation which
hopefully will clear up many of the problems I was having with their
product.
When I stated my opinions on the SHTTP vs. SSL debate, I was hoping that
it would be clear that I was expressing an opinion based on very little
in-depth knowledge of security issues; that was, in fact, the very point
of what I was saying: I know little about security but I did find it
much easier to understand the SSL protocol than the SHTTP. I stand by
my opinion that SSL is more straightforward than SHTTP and that in terms
of pure protocol (i.e. human readable vs. machine readable) SSL is
better designed - and I think that a protocol-independent security layer
like SSL is a very valuable thing. But I concede that part of the
complexity of SHTTP is due to its providing digital signatures as well
as other forms of security/privacy enhancements that SSL does not.
What we *really* need is a protocol with all of the security features of
SHTTP but with the session-oriented binary protocol and
protocol-independent layering structure of SSL :).
Best Wishes,
Bryan
