Tom and all,
Tom Weinstein wrote:
EKR wrote:
I see several problems here:
1. While overloading the cipherSuites mechanism is convenient and
backwards compatible, it strikes me as ill-advised. In the limit,
we end up with a large number of cipherSuites that differ only
in the types of certificational material they provide. This
fragments effort. Here you call out an RSA/3DES/RIPEMD mode.
If that's a good idea, wouldn't it be a good idea with X.509
certificates as well?
Algorithm choice is largely orthogonal to certificate format and
should be represented as such. That does seem to be a missing
capability in TLS. We should add it rather than hacking around
it.
Agreed. Rather than overloading cipherSuites with information about cert
formats, I think it would be better to extend TLS to provide for cert
format negotiation.
I totaly agree. Hence on of the reasons we went ahead and developed
our
"Interface Facility (MLPI)" which incorporates this capability for any
set of ciphersuites for most cert formats. I came to this conclusion
over a year ago.
--
What is appropriate for the master is not appropriate| Tom Weinstein
for the novice. You must understand Tao before |
tomw(_at_)netscape(_dot_)com
transcending structure. -- The Tao of Programming |
Regards,
--
Jeffrey A. Williams
DIR. Internet Network Eng/SR. Java Development Eng.
Information Eng. Group. IEG. INC. (Soon to be INEG. INC) Stay tunned!
Phone :913-294-2375 (v-office)
E-Mail jwkckid1(_at_)ix(_dot_)netcom(_dot_)com
Wisdom: "One who knows others is wise,
one who knows himself is enlightened."
Lao Tzu