"James A. Donald" <jam...@echeque.com> writes: >I cannot see how you could create a bank web page without a web application >framework (counting mod-php as a very primitive web application framework) >and scripting and a database, which scripting and database has to know who it >is is that logged in
We really are talking about completely different things here. The scripting and whatnot has nothing to do with TLS or TLS auth mechanisms. The only thing you need to care about (if you really want to go this way) is channel binding. >The information about which user, which database primary key is logged in, >has to be passed up through one layer after another and from one process to >another. Yeah, and that's what channel binding is for. >The plumbing really is that complicated. Only if you deliberately choose to make it so. Read the RFCs I mentioned earlier. >Because keep-alive usually fails for plumbing reasons, standard TLS usually >does the PKI-based non-authentication dance every page, resulting in >additional round trips, resulting in painfully bad performance for SSL web >sites But TLS doesn't work like that. If it did, you'd get a cert popup every time you clicked on a link on a TLS-protected web site. Unless you somehow manage to flush the TLS session cache on the server (which seems unlikely unless you're DoS'ing it) there's no additional round-trip(s), or additional anything for that matter. Peter. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com