Simple SSL/TLS - Some Questions
Ian Grigg
iang at systemics.com
Tue Oct 7 20:38:34 EDT 2003
Anne & Lynn Wheeler wrote:
>
> At 12:09 PM 10/7/2003 -0700, Eric Rescorla wrote:
> >This doesn't provide equivalent services to TLS--no anti-replay
> >service for the server.
>
> KISS ... for the primary business requirement .... the application already
> has anti-replay .... TLS ant-replay is then redundant and superfluous.
Well, that is correct, all financial cryptography
protocols will have end-to-end replay, and in this
sense, the anti-reply of TLS is not needed / gets
in the way if one is doing financial stuff.
( I've recently discovered this wierdness in Java where
it automatically launches the entire POST again if
it sees a problem, thus resulting in two transaction
requests. Of course, the protocols pick it up and
there is no danger, but I can't figure out how to
easily stop the client side telling the user that
the transaction had already been done.... )
> yes, it isn't existing TLS .... it is KISS TLS based on primary business
> requirement ... as mentioned in original, not on existing specification
> for existing implementation
> http://www.garlic.com/~lynn/aadsm15.htm#19
You are not being fair, Lynn, you are hijacking
the name of TLS, in order to promote a protocol
to protect credit cards.
What you described was practically nothing to do
with TLS/SSL...
Such a protocol would be quite useful no doubt,
but it has little to do with TLS' design goal of
being a full service channel security product.
iang
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list