towards https everywhere and strict transport security (was: Has there been a change in US banking regulations recently?)

Wed Aug 25 15:31:10 EDT 2010

On 08/25/2010 09:04 AM, Richard Salz wrote:
>> Also, note that HSTS is presently specific to HTTP. One could imagine
>> expressing a more generic "STS" policy for an entire site
>
> A really knowledgeable net-head told me the other day that the problem
> with SSL/TLS is that it has too many round-trips.  In fact, the RTT costs
> are now more prohibitive than the crypto costs.  I was quite surprised to
> hear this; he was stunned to find it out.
>
> Look at the "tlsnextprotonec" IETF draft, the Google involvement in SPDY,
> and perhaps this message as a jumping-off point for both:
> http://web.archiveorange.com/archive/v/c2Jaqz6aELyC8Ec4SrLY
>
> I was happy to see that the interest is in piggy-backing, not in changing
> SSL/TLS.
>

the work on HSP (high-speed protocol) in the late 80s was to do reliable transmission
in minimum 3-packet exchange; compared to 5-packet minimum for VMTP (rfc1045) and
7-packet minimum for tcp (disclaimer, i was on related technical advisory board
for HSP ... while at IBM ... over strong objections from the communication division;
but that also strong protested that we had come up with 3-tier architecture and were
out pitching it to customer executives ... at a time when they were attempting
to get the client/server genie back into the terminal emulation bottle)

then SSL theoretically being stateless on top of tcp added a whole bunch of
additional chatter. there has frequently between changing trade-offs between
transmission and processing ... but SSL started out being excessive in both
transmission and processing (in addition to having deployment requirement that
the user understand the relationship between the website they believed they
were talking to and the URL they had to supply to the browser .... a requirement
that was almost immediately violated).

my pitch forever has been to leverage key distribution piggy-backed on
domain name to ip-address (dns) response ... and use that to do
encrypted/validated reliable transaction within HSP 3-packet minimum exchange.

as previously mentioned, somewhere back behind everything else ... there
is strong financial motivation in the sale of the SSL domain name digital
certificates.

-- 
virtualization experience starting Jan1968, online at home since Mar1970

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com