[5117] in cryptography@c2.net mail archive
Re: Clear Session ID in SSLV3
daemon@ATHENA.MIT.EDU (Ben Laurie)
Fri Jul 16 11:58:57 1999
Date: Fri, 16 Jul 1999 10:22:23 +0100
From: Ben Laurie <ben@algroup.co.uk>
To: "Marcus J. Ranum" <mjr@nfr.net>
Cc: cryptography@c2.net
"Marcus J. Ranum" wrote:
>
> Does anyone have a pointer to why the session ID in SSLV3 is
> in the clear, rather than encrypted? I'm sure there's a good
> reason for it (audit? logging? other...?) but I'm trying to
> pin down exactly why it was done that way. Can anyone point
> me in the right direction?
Because the session ID is used to restore the shared cryptographic
environment, for performance reasons. Hence it has to be in the clear.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html
"My grandfather once told me that there are two kinds of people: those
who work and those who take the credit. He told me to try to be in the
first group; there was less competition there."
- Indira Gandhi
