EKR wrote:
I see several problems here:
1. While overloading the cipherSuites mechanism is convenient and
backwards compatible, it strikes me as ill-advised. In the limit,
we end up with a large number of cipherSuites that differ only
in the types of certificational material they provide. This
fragments effort. Here you call out an RSA/3DES/RIPEMD mode.
If that's a good idea, wouldn't it be a good idea with X.509
certificates as well?
Algorithm choice is largely orthogonal to certificate format and
should be represented as such. That does seem to be a missing
capability in TLS. We should add it rather than hacking around
it.
Agreed. Rather than overloading cipherSuites with information about cert
formats, I think it would be better to extend TLS to provide for cert
format negotiation.
--
What is appropriate for the master is not appropriate| Tom Weinstein
for the novice. You must understand Tao before |
tomw(_at_)netscape(_dot_)com
transcending structure. -- The Tao of Programming |