Re: experiments in the ietf week

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

At Mon, 24 Mar 2008 15:17:56 +0100,
Iljitsch van Beijnum wrote:
> 
> On 19 mrt 2008, at 1:46, Eric Rescorla wrote:
> 
> >> A more interesting experiment would be to do away with SSL for a bit
> >> and use IPsec instead.
> 
> > Why would this be either interesting or desirable?
> 
> SSL is vulnerable to more attacks than IPsec and IPsec is more general  
> than SSL. As such it would be good if we could have IPsec deployment  
> similar to SSL deployment, similar to how it would be good to have  
> IPv6 rather than IPv4 deployment, so a similar experiment could be  
> useful in showing what if any the reasons are we're still stuck with  
> the inferior SSL/TLS technology.

One of the true joys of the IETF is watching people explain why 
their favorite technology is superior to the technology people
have actually chosen to use.

Both IPsec and SSL have applications where they are the appropriate
choice. I don't think there's a lot of point in going into them in
detail. But given that the attacks you're mentioning are frankly
irrelevant in 99.9% of cases (btw, I know what TCP spoofing is, but
it's not relevant for TLS, because the application should be looking
at the cryptographic identity, not the transport layer identity), the
notion that we should tear out most of the application layer security
infrastructure to accomodate your notions of architetural
appropriateness strikes me as extremely dubious.

-Ekr




_______________________________________________
IETF mailing list
IETF@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf
[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]