On Tue, Jul 08, 2003 at 05:31:45PM -0700, Eric Rescorla wrote:
All else being equal, a protocol which provides more security
is better than a protocol which provides less. Now, all things
aren't equal, but if you can offer substantially more security
with only a modest increase in code
tom st denis [EMAIL PROTECTED] writes:
The lib uses RSA for key exchange [and the client may scrutinize the
key before making the connection via a callback], AES-128-CTR [two
different keys for each direction] and SHA1-HMAC. The niche of the lib
is that my library compiles to a mere 10KB.
tom st denis [EMAIL PROTECTED] writes:
--- Eric Rescorla [EMAIL PROTECTED] wrote:
tom st denis [EMAIL PROTECTED] writes:
Two weeks ago I sat down to learn how to code my own SSL lib [key
on
being small]. Suffice it to say after reading the 67 page RFC for
SSL
3.0 I have no clue
tom st denis [EMAIL PROTECTED] writes:
--- Eric Rescorla [EMAIL PROTECTED] wrote:
In other words, this is just an exercise in Not Invented Here.
Wonderful.
Oh, ok so I need your permission?
No, you don't need my permission. You can do any fool thing you
want. It would just be nice if you
tom st denis [EMAIL PROTECTED] writes:
--- Eric Rescorla [EMAIL PROTECTED] wrote:
Heck, if you could find a security flaw in LibTomNet [v0.03] I'll
buy
you a beer.
Your protocol does not use appear to have any protection against
active attacks on message sequence, including message
tom st denis [EMAIL PROTECTED] writes:
--- Eric Rescorla [EMAIL PROTECTED] wrote:
tom st denis [EMAIL PROTECTED] writes:
The point I'm trying to make is that just because a fairly standard
product exists doesn't mean diversity is a bad thing. Yes, people
may
fail to create
On Tue, Jul 08, 2003 at 02:20:46PM -0700, Eric Murray wrote:
For comparison purposes, I have a copy of an SSLv3/TLS client library
I wrote in 1997. It's 56k of (Intel Linux) code for everything
except RSA. That includes the ASN.1 and X.509 parser.
Implementing the server-specific parts
Ian Grigg [EMAIL PROTECTED] writes:
Eric Rescorla wrote:
My logic is that if you're going to create something new, it should
be better than what already exists.
Right. But better is not a binary choice in real
life. SSL is only better if it exceeds all
requirements when compared