On Wed, Aug 20, 2008 at 1:15 PM, Alex Pankratov <[EMAIL PROTECTED]> wrote: > Based on this reply alone I'm not sure I follow. I also read quickly > through your exchange on TCPM and your comments appear to be specific > to Adam's draft. > > My comment was not related to either a latency or a potential performance > problems of TLS. It was in a response to another idea - that of bundling > TLS handshake with TCP handshake. The goal of this (and I apologize for > stating the obvious, just want to make sure we are on the same page here) > is to provide transparent to application layer opportunistic encryption > of TCP streams. Whether this goal makes any sense and if it is worth > pursuing is a separate issue; it's the DoS aspect of the implementation > idea that I was commenting on.
Sorry, I'm loosing this conversation a little, I think half of it's occuring on mailing lists that I'm not on. If I might speak for another: ekr doesn't believe that an extra RTT of latency is important. This is perfectly reasonable since I can't release any numbers. Thus, Eric is taking the perfectly respectable view that we shouldn't complicate things for dubious benefit. TLS is only one RTT if the session is cached (either server side caching or client side). Without modifying TCP, one could push the server's exchange into the SYNACK and get this down to 0 extra round trips. (needs kernel changes) This would really involve cramming TLS into a very small space and the result would look little like TLS. However, the issue is that, if clients started doing this, they couldn't know if the other end supports it. Thus it wouldn't be very opportunistic. Jamming an extra application layer bit into the TCP SYN was too ugly, thus I'm looking at other methods right now, including keeping state between connections and getting it from DNS. However, transparent proxies are a real pain and getting around them will be ugly. Cheers AGL -- Adam Langley [EMAIL PROTECTED] http://www.imperialviolet.org _______________________________________________ p2p-hackers mailing list [email protected] http://lists.zooko.com/mailman/listinfo/p2p-hackers
