"James A. Donald" <jam...@echeque.com> writes:

>I cannot see how you could create a bank web page without a web application
>framework (counting mod-php as a very primitive web application framework)
>and scripting and a database, which scripting and database has to know who it
>is is that logged in

We really are talking about completely different things here.  The scripting
and whatnot has nothing to do with TLS or TLS auth mechanisms.  The only thing
you need to care about (if you really want to go this way) is channel binding.

>The information about which user, which database primary key is logged in,
>has to be passed up through one layer after another and from one process to

Yeah, and that's what channel binding is for.

>The plumbing really is that complicated.

Only if you deliberately choose to make it so.  Read the RFCs I mentioned

>Because keep-alive usually fails for plumbing reasons, standard TLS usually
>does the PKI-based non-authentication dance every page, resulting in
>additional round trips, resulting in painfully bad performance for SSL web

But TLS doesn't work like that.  If it did, you'd get a cert popup every time
you clicked on a link on a TLS-protected web site.  Unless you somehow manage
to flush the TLS session cache on the server (which seems unlikely unless
you're DoS'ing it) there's no additional round-trip(s), or additional anything
for that matter.


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Reply via email to