Simple SSL/TLS - Some Questions
Eric Rescorla
ekr at rtfm.com
Tue Oct 7 15:09:16 EDT 2003
Anne & Lynn Wheeler <lynn at garlic.com> writes:
> the client generates a random session key according to the crypto
> preferences, encrypts a credit card number and misc. ancillary
> transaction info with the session key, encrypts the session key with
> the public key (if you really want to simplify to the business
> requirements, directly encrypt with the public key and eliminate the
> session key step)
This doesn't provide equivalent services to TLS--no anti-replay
service for the server.
> .... and use a XTP-like (or some of the emerging
> real-time protocol) .... aka existing SSL is carried on top of TCP
> .... TCP requires a minimum of 7 packet exchange .... and SSL on top
> of that then requires all the negotiation chatter.
With the result that it is now screened out by your current
firewall policies. Good idea.
> This is about as simplified SSL/TLS as you can get based on business
> requirements for the major existing applications using SSL/TLS
This also isn't TLS. It's a protocol that bears some vague resemblence
to TLS.
-Ekr
--
[Eric Rescorla ekr at rtfm.com]
http://www.rtfm.com/
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list