On Tue, Jun 21, 2011 at 4:14 PM, Ian G <[email protected]> wrote: >> Why not send *all* your network traffic over TLS? > > The typical reasons for not using TLS would be (a) it's a stream-oriented > point-to-point protocol, whereas most activity is app-level > datagram-oriented, (b) it's too closely linked with PKI / x509 > implementations, which is too clumsy in many ways, and (c) it only delivers > a relatively small subset of a fuller security model.
See also: DTLS (Datagram-oriented TLS) and the GSS-API, both of which can handle datagram-oriented apps. > ( I don't know for sure, but I gather the Javascript people have gone a lot > further towards datagram programming than the pre-JS 1990s school. The > temptation to throw out TLS is stronger as you get closer to the datagram, > and as you do more of a full security analysis. ) Color me skeptical. With fast session resumption with stateless servers HTTPS is really quite close to being as good as a datagram oriented channel. And if there's still performance issues, let's address those in TLS. Alternatively, what are the apps *not* protecting if they use JS crypto?, and is that safe?, and in what threat model? Nico -- _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
