> For server authentication, TLS imposes four costs. > > Three are trivial: the amount of CPU usage for key exchange,
Plus potential handshake delay - note that an ALTO query could be part of a latency-sensitive operation, and ALTO server and clients could be geographically distributed. > the cost for a certificate (GoDaddy claims $6/year), and the > need to use a distinct IP for the hostname if you can't > support Server Name Identification. > > One is real: making sure you don't screw up on installing and > rolling the certificate. > > Both #2 and #3 have the same cost. > > > But TLS offers a huge advantage: Proxies abound, and HTTP > proxies even moreso. The result is there are an amazing > number of network devices which think they are smarter than > the traffic, but well, they aren't. E.g. half of the in-path > HTTP caches cache data incorrectly. Cellphone networks now > experience image transcoding, etc. Why would such proxies be relevant if the ALTO client and the ALTO server run on two high-end servers inside the same data center rack, with a dedicated and isolated 1 or 10 Gbit/s network link in between them? ALTO is a generic protocol. It can be deployed in very different ways. Michael > If you want to avoid the headaches caused by these > too-smart-for-their-own-good middleboxes, you have to use TLS > on port 443, its just about the only port and protocol thats > unmolested by the network. > > For client authentication, TLS is a pain. But it depends on > context: if its new program to server, TLS client > authentication is no worse than ANY other authentication > mechanism, as you still have the exchange/pairing problem no > matter what. If its User to Server, its an utter abominable failure. _______________________________________________ alto mailing list [email protected] https://www.ietf.org/mailman/listinfo/alto
