[5119] in cryptography@c2.net mail archive
Re: Clear Session ID in SSLV3
daemon@ATHENA.MIT.EDU (Tom Weinstein)
Fri Jul 16 16:31:29 1999
Date: Fri, 16 Jul 1999 11:39:32 -0700
From: Tom Weinstein <tomw@geocast.com>
To: "Marcus J. Ranum" <mjr@nfr.net>
Cc: cryptography@c2.net
"Marcus J. Ranum" wrote:
>
> Does anyone have a pointer to why the session ID in SSLV3 is
> in the clear, rather than encrypted? I'm sure there's a good
> reason for it (audit? logging? other...?) but I'm trying to
> pin down exactly why it was done that way. Can anyone point
> me in the right direction?
If it was encrypted, you couldn't use it to identify a session when resuming.
Since that was the only reason for having a session ID in the first place, it
wouldn't make any sense to encrypt it.
--
What is appropriate for the master is not appropriate| Tom Weinstein
for the novice. You must understand Tao before | tomw@geocast.com
transcending structure. -- The Tao of Programming |
