The poster forgot to include the only list that counts, the IETF where
Last Calls are discussed.
This is not mail, where Application level security makes sense. This is
Telnet, a service that is explicitly and only an on-line, connected,
end-to-end protocol. Another layer of security adds no value.
Especially as this has admitted security problems! I have no stomach for
"blessing" bad ideas, just because they've been used for a long time....
If nobody would suggest a similar design today, then publishing them with
Historic designation might be appropriate.
-------- Original Message --------
Subject: Re: Last Call: Telnet Authentication Option to ProposedStandard
Date: 24 Nov 1999 10:21:09 +0100
From: [EMAIL PROTECTED] (Johan Danielsson)
To: William Allen Simpson <[EMAIL PROTECTED]>
CC: [EMAIL PROTECTED]
William Allen Simpson <[EMAIL PROTECTED]> writes:
> We already have authentication and encryption at link layer (PPP),
> network layer (IPSec), transport layer (TLS), and session layer
> (SecSHell). Why do we need application layer security, too?
This is another debate, but I would argue that it's *only* at the
`application layer' that encryption and authentication makes
sense. How can I trust IPsec when I don't know who's controlling the
keys? Encryption at other levels might have their own applications,
but it doesn't necessarily provide any explicit security to the end
user.
Anyway, the telnet encryption stuff has been in use for many years,
and this is just revival of some old drafts. They do have security
problems, and nobody would suggest a similar design today.
/Johan
