On Wed, Dec 06, 2006 at 07:16:32PM +0000, [EMAIL PROTECTED] wrote:
[ Authentication vs. Authorization ]
Yes, the real issue is that encryption without authentication does
not necessarily provide confidentiality, the party on the other end of
the encrypted connection could be the same attacker that motivated the
encryption of the traffic, only this time the attacker is active (MITM)
rather than a passive eavesdropper. I rarely bother with mandatory
encryption without authentication, the security model is questionable...
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
