[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SSLeay - Whats the story...
On Fri, 4 Aug 1995, Enzo Michelangeli wrote:
> On Fri, 4 Aug 1995, Alex Tang wrote:
> Perry Metzger and Mark Chen have recently expressed some criticism, and
> Adam Shostack, around the end of May, posted a review that hilighted a
> number of potential problem areas.
Do you have a copy of this?
> Personally, I especially dislike the use of RC4-40 (yes, other algorithms
> are supported, but not using the export version of Netscape Navigator);
Totaly agree, hell, I going to give the option for users and server to
specify at run time which ciphers never to use :-).
> the excessively large portion of the handshaking data exchanged as
> cleartext; and the limitations in certificate management (no provisions
> for verifying the revocation status with a CA).
The clear text I don't like, I agree. But then when used for http,
everything begins with a GET anyway. The CRL verification is again to me
a matter of implementation. Currently my library does not support CRL
(but I can load and manipulate them). It is simply a function of the
infrastructure to go with the library. SSL v3 of the spec does alow for
CRL to be passed along with the certificate heigherachy (a PKCS-7 object).
I'm mostly concered with any objections raised with the protocol, not the
particular implementation around right now. With my library I fully
intend to make it possible to refuse to authenticate the server unless a
current CRL is present.
Anyway, I'm intersted in hearing people complains so I can attempt to
make sure none of the fixable problems are in my library :-)
Eric Young | Signature removed since it was generating
AARNet: [email protected] | more followups that the message contents :-)