[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Crypto DLL's/SSLeay 0.4.5




Eric Young writes:
> On the PGPphone issue, I Personally I feel SSLphone would be a much 
> better way of doing things.

Oh, yeah? No user certificates, no way to verify whats on the other
end. No assurances that you aren't being tricked into using a weak
algorithm because negotiation doesn't take place under cover of
signature. Lots of little potential cracks. Thanks, but no thanks.

This is not to slight your code. I'm slighting the protocol.

If folks want to secure links, stick to clean protocols to do the key
negotiation. I'm a fan of variants of STS myself, Photuris being a
biggie.

> For phone over modem, authentication is not really required

And why is that?

Perry