On Sun, Jun 19, 2011 at 4:49 PM, Steven Bellovin <[email protected]> wrote: > On Jun 19, 2011, at 5:36 05PM, Marsh Ray wrote: >> Now I've heard everything. Javascript crypto proponents using it as an >> argument against SSL. Tell them that they should use SSL properly and >> consider that an argument against Javascript crypto instead. And hold on to >> your wallet. > > They solve different problems, at least if used correctly. SSL secures > the channel; Javascript secures (or can secure) the transmitted object itself.
Channel binding helps, if you can trust the end-points of the channel after you've established that there's no MITM. If you don't trust the end-points of the channel even when you've shown there's no MITM then there's no point using the channel at all, and all crypto has to be done at a higher layer. Channel binding allows you to do authentication at a higher layer, where you have the correct context, and bind to lower layer channels, which is where we've invested the most in hardware acceleration. Nico -- _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
