[241] in WWW Security List Archive
Re: info on proposed SSL protocol and Netscape implementation
daemon@ATHENA.MIT.EDU (hallam@dxal18.cern.ch)
Sun Nov 27 18:55:41 1994
From: hallam@dxal18.cern.ch
To: Marc Horowitz <marc@mit.edu>, www-security@ns1.rutgers.edu
Cc: hallam@dxal18.cern.ch
In-Reply-To: Your message of "Sun, 27 Nov 94 16:19:22 EST."
<9411272119.AA18209@oliver.MIT.EDU>
Date: Mon, 28 Nov 94 06:52:57 +0900
Reply-To: hallam@dxal18.cern.ch
>There is already an IETF draft standard which handles (3), is designed
>to allow (2), although there isn't a spec yet, and there are already
>application layers out there for a few common protocols (FTP is the
>only one publically available right now, as far as I know). If you're
>doing an internet security protocol and you're not considering GSSAPI,
>I'm curious why. If you don't know what it is, take a look at RFC's
>1508 and 1509. There's also an internet-draft spec for a krb5
>mechanism, for which an implementation is freely available as a part
>of the MIT kerberos 5 release.
We have looked at GSSAPI. It is something we could provide as an interface
but it is not something we can build upon. It is simply at a totaly different
level of abstraction. We can certainly support it and probably will if there
is a demand.
>I speculate that any protocol at these layers (above IP) which ignores
>GSSAPI is likely to be looked upon poorly by the IETF.
It is not a question of ignoring it, its a question of how relevant it is.
The IETF is not simply about writing specs and waiting for the world
to implement them. There are an awful lot of IETF specs that never get
anywhere. The IETF is about who has the best solution all things considered.
Acceptance in the marketplace factors big.
the big problem in the securioty field is not technical but political. PGP has
market acceptance but simply cannot function at the level of the Web. It is
an anarchist system of trust with the inherent administrative problems of
an anarchy. PEM is unacceptable to most users but could be administered -
perhaps.
Its a bit soon to talk about standards when there is no solution to the basic
political and technical issues involved as of yet. If the IETFs approval was
sufficient we would be using PEM today.
Phill Hallam-Baker
