[529] in WWW Security List Archive
Re: SSL etc
daemon@ATHENA.MIT.EDU (Phillip M. Hallam-Baker)
Mon Mar 20 09:02:10 1995
To: "Bryan J. Ischo" <bi04+@andrew.cmu.edu>, www-security@ns2.rutgers.edu
cc: hallam@dxal18.cern.ch
In-reply-to: Your message of "Fri, 17 Mar 1995 17:18:03 EST."
<AjOUeP600YUII3XrUa@andrew.cmu.edu>
Date: Mon, 20 Mar 1995 11:37:31 +0900
From: "Phillip M. Hallam-Baker" <hallam@dxal18.cern.ch>
Errors-To: owner-www-security@ns2.rutgers.edu
>> One important point about SSL is that it is not purely limited
>> to WWW. I will be implementing SSL for SMTP conversations some
>> time in the next couple of months. I am actually trying to
>> find out what port people would wish that I used.
>>
>> This is also a disadvantage, in that the same functionality is being
>> standardized at a different layer, to wit the IP security stuff.
> I would think that this is actually an advantage. Once this
>Internet standard IP level security stuff comes along, none of the
>protocols above the SSL security layer need to change. The SSL layer
>just drops out, and everything remains the same above the SSL layer. In
>this way NO new protocols other than SSL need to be introduced while
>we're waiting for IP security, and all of the existing protocols
>continue to be relevant after that point.
It depends what you intend to use it for. SSL is a relatively low level security
scheme. This means that it can be made transparent at the application level but
also means that the application level dosen't have much control over it.
Any socket level security scheme will still require comprehensive certificate
handling facilities at the application level. This is where the Web can be used
to make PEM workable. We can have certificate servers. Instead of passing
arround several Mb of certificates with each mail the parties can present a
server with a request for a chain of trust satisfying certain criteria.
Phill Hallam-Baker
