On Wed, 5 May 2004, The Purple Streak, Hilarie Orman wrote:
I think there's a misunderstanding about the encryption requirement.
The IAB guidance was for OPES-processor-to-OPES-processor. There's no
such onus on OCP.
IAB guidance is end-to-end, which includes processor-to-processor and
processor-to-callout_server. Since callout servers may be remote, it
is pointless to ensure processor-to-processor encryption without
processor-to-callout_server encryption!
If IAB did not mention callout servers, it's becuase they did not know
about them or rightly considered them equivalent to other processors
as far as IAB considerations are concerned.
I know a little about security protocols, and I don't see how OCP
defines a secure way to interface to transport security features.
You are absolutely correct:
(a) OCP Core allows for a common (HTTP, BEEP, other?)
interface to transport security.
(b) OCP Core does not define an interface to transport
security.
I strongly advise ditching it rather than trying to repair it.
(c) We are not reparing anything specific to transport
security.
So, in a way, we have already ditched it long time ago when we removed
encryption-related profiles from OCP Core. We are not trying to add
them now. We are simply addressing a very valid comment by Steve
Bellovin that is not really secific to security (it applies to _any_
OCP negotiation).
Hope this clarifies,
Alex.