[anonsec] 3401 and highjacking
Nicolas.Williams at sun.com
Fri Feb 24 09:45:55 PST 2006
On Thu, Feb 23, 2006 at 06:18:23PM -0500, Stephen Kent wrote:
> >None of these are solved by SSL; SSL has corresponding solutions for the
> >first three, but in no case does it protect the transport connection.
> You are right that SSL/TLS does not protect the transport layer, but
> that was not what you asked me to address via that list.
It's session protection, but it's meant to seem like transport
> >I.e., what is the motivation for BTNS that does not include - if not
> >focus - on transport protection?
> Channel binding functionality does not explicitly demand transport
> layer protection.
Channel binding demans channels to bind to. Such channels must: a)
provide adequate (for the cb app) protection for data sent over it, b)
provide a way to cryptographically bind to it.
> My recollection from the BOF was that only some of the cited
> motivations for BTNS explicitly cite transport layer protection. When
> applications want to use lower layer security mechanisms to enable
> higher performance via off-loading crypto to a different processor,
> that can be achieved via SSL/TLS, for example.
Yes, that's my motivation.
> I think the crux of our possible disagreement is that you see every
> BTNS motivation as demanding protection for the transport layer
> protocol, whole I see only one of cited motivations as emphasizing
> this requirement.
We must be converging -- your disagreements with either Joe or myself
are more and more matters of degree :)
More information about the ANONSEC