> Paper sounds interesting, but unfortunately one has to be a usenix member > to read it. Any other url?
There is a techreport (a slightly older version of the paper) available from: http://www.citi.umich.edu/techreports > Rather then changes to SSL, did you look at using a BIO to push onto the > SSL BIO so you could trap the handshake without modifications? Not clear > from your patch if this was good enough, or if you really needed additional > modifications to the handshake. No, I have not looked at using a BIO for this. It was our first shot at getting things working and getting raw data was the most straight forward way of doing this. However, I'm not sure if bio buffers inside of the SSL structure are accumulative. I need to be able to hash all the handshake messages and verify the client's signature in the CLIENT_VERIFY message. For this I need all the buffers. > How does this relate to: > > Addition of Kerberos Cipher Suites to Transport Layer Security (TLS) > (RFC 2712) > http://www.ietf.org/rfc/rfc2712.txt Hmm, I'm not sure what are you asking. Verification of the SSL handshake would be independent of the protocol used to secure the connection. The RFC proposes the use of Kerberos cipher suites and as far as I know doesn't deal with delegation of credentials. And even if it were the case, it's not clear that delegation would be better than what we proposed in the paper (I would argue that it wouldn't be). -Olga ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
