"Marcus J. Ranum" wrote:
>
> Does anyone have a pointer to why the session ID in SSLV3 is
> in the clear, rather than encrypted? I'm sure there's a good
> reason for it (audit? logging? other...?) but I'm trying to
> pin down exactly why it was done that way. Can anyone point
> me in the right direction?
If it was encrypted, you couldn't use it to identify a session when resuming.
Since that was the only reason for having a session ID in the first place, it
wouldn't make any sense to encrypt it.
--
What is appropriate for the master is not appropriate| Tom Weinstein
for the novice. You must understand Tao before | [EMAIL PROTECTED]
transcending structure. -- The Tao of Programming |
