At 5:23 PM -0500 11/2/09, Rob Austein wrote:
...
I think we are talking slightly past each other, and have been on this
topic all along. I said "HTTP", you seem to have read "TLS".
What Russ and I proposed was TLS, so that's why I am talking about TLS.
I'm not sure when the suggestion to use TLS was translated into HTTPS.
...
Remember that the reason we were originally told to use TLS here was
replay protection. I know you keep saying server protection, but
that's not how we originally got here. I'm not seeing much replay
protection in what we've implemented to date, which concerns me, as we
added a fairly heavyweight mechanism that as far as I can tell has not
solved the original problem.
My recollection differs somewhat. I think what Russ and I suggested
was using TLS to enable session-level protection, which includes
two-way authentication at
the time of session creation (as an input to access control for the
server), session integrity (i.e., dropped or re-ordered packets are
detectable), and session authentication (i.e., all packets belonging
to the same session are verified as such). Anti-replay at the session
level and within a session are two facets of this protection suite.
Steve
_______________________________________________
sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr
