On Fri, Aug 1, 2014 at 11:16 AM, David Mazieres <[email protected]> wrote: > Layer-4 security should be like congestion control. It's there and for > the most part it just works and there are only very minor tweaks (like > buffer sizes, enable/disable Nagle, etc., or in tcpinc's case maybe > prioritization among a very small number of cipher suites). Once you > get into loading certificates and human-readable names and such into > your sockets, you're getting into territory that is better served by > existing TLS infrastructure, because the human-readable names come from > the application and require application-level modification anyway.
It's quite fine to want encryption at a lower layer than authentication, but if you do that then you'd better either key the lower layer from the upper layer, or channel bind the lower layer into authentication. What I'd like to see is ECDH with ephemeral public keys for TCPINC with an API by which to extract channel binding data that can be fed into an application-layer protocol. (Perhaps even TLS with null ciphersuite + TCPINC. Whatever.) Nico -- _______________________________________________ Tcpinc mailing list [email protected] https://www.ietf.org/mailman/listinfo/tcpinc
