It seems to be that every new product there is faced with four choices:
1. do no security;
2. do a quick and nasty home built hack of a protocol;
3. create a good, aligned, secure, precise and appropriate crypto protocol;
4. use a standard tool that is already built, reviewed, tested and safe.
Everyone suggests 4., but, that's too hard, because one still has to select the right one, or to pick the wrong one and then slave through the horribly hard API and all the special hooks and the "must-do-else-your-cat-fries" security parts...
So, 4. is out. Sorry, SSL guys, it's just too hard. Then, 3. is easily dispensed with, as those wunderkinder just don't exist.
Which leaves 1 or 2: Nothing or somthing really quick and dirty, and probably only somewhat secure.
This is the SSH story. SSH 1 was widely thought to be pretty loose. What happened? It succeeded, partly because the author didn't worry overly about having perfect crypto - he rocked on ahead with something that was "ok".
I have left a lot of your posts unanswered as I could have gone on for ages, but I couldn't let this one slip.
What is your criteria for comparing the respective success of SSH and SSL ? I bet the later gets used by a heck of a lot more people every day, and it is supported by many more programs.
You are free to use any proprietary security protocol you want, including a home built-one or double ROT13 . Nobody is forcing you to use SSL/TLS for your own applications.
Obviously most businesses and financial institutions don't agree with your approach, as they prefer to use the open and very popular SSL/TLS protocol, which is supported by a host of programs from many sources, commercial and free, rather than reinvent the wheel and start from scratch as you advocate.
One of the often stated goals of the NSS library is to support this SSL protocol, for the now-defunct Netscape client, the Mozilla client, some other AOL clients, the Sun/iPlanet servers, and incidently anyone else who wants a free source implementation of that protocol.
Supporting proprietary security protocols is not one of the stated goals of NSS, or of Mozilla .
_______________________________________________
mozilla-crypto mailing list
[EMAIL PROTECTED]
http://mail.mozilla.org/listinfo/mozilla-crypto
