> On Jul 31, 2015, at 3:58 AM, Cullen Jennings <[email protected]> wrote: > > > I prefer for the WG to select draft a) draft-rescorla-tcpinc-tls-option-03 as > the starting point. > > The track record of security bugs in developing a new security protocol > result in me having a strong preference for using something where lots of > people have spent a lot of time looking at the algorithms. I think using TLS > as a starting point will results in less problems than something new.
To be fair, the variant of TLS that is used tens of billions of times a day and has been analyzed heavily for almost 20 years is one where the server authenticates with a certificate. The ANON_DH or ANON_ECDH(E) variants of the protocol are hardly ever used. > It's been a long time since I wrote kernel code but I did the original code > for the wireless networking in the Linux kernel. I don't buy the argument > that one can not write TLS in the kernel. Many embedded systems (such as > Cisco phones) already do TLS in the kernel. Some of the ways that people do > SSL based VPNs (like AnyConnect) also ends up with TLS in the kernel. Definitely. Our SSL VPN server as well as TLS proxy and portals do TLS in the kernel. Works fine. Yoav _______________________________________________ Tcpinc mailing list [email protected] https://www.ietf.org/mailman/listinfo/tcpinc
