[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [iaik-ssl] Hw to do client authentication only?



On Wed, 6 Sep 2000, Jos Visser wrote:

> Hi,
> 
> I must say that I find your criticism highly unfair. SSL is not a
> security protocol, it has not been designed to contain, administer
> or grant privileges, and it might not even be the correct protocol
> for your specific application. If it does not do what you want,
> augment it or use something else.

Jos, I take your comments as quite refreshing.

If I could use something else, (or lets say if I wasn't forced to use
SSL), I would.  However, SSL has this gleaming popularity, that in this
world of buzz words, companies are forcing us to use the wrong tools for
the job, technical merit of the tools to the application be damned. 
It says "Security" on the box. Use it.

> Don't complain that a bicycle is of no use on water, and that it
> does not fly.

I think the right comment would be:

This is a bicycle. It doesn't fly, and it doesn't float. Now tell me why
you want me to use it to get you from New York to London?

The answer I always get to that question is:

      But it's a really nice looking bicycle.

Cheers,
-Polar

> ++Jos
> 
> :: 
> :: 
> :: Hi Gerald,
> :: 
> :: This is the biggest problem we have with SSL being a security protocol.
> :: The client cannot be forced to authenticate.
> :: 
> :: You should see the hoops we have to go through for CORBA security (CSIv2)
> :: because of SSL. SSL is chosen because people thought that CORBA SECIOP was
> :: too complicated. 
> :: 
> :: The biggest problem we have is that SSL doesn't follow the GSS-API, and it
> :: doesn't force client authentication. Also, it's so limited that you cannot
> :: stick privileges in it.
> :: 
> :: It's a broken bicycle that shouldn't be allowed to be on the road. But
> :: apparently it's a pretty color and everybody likes it. And of course,
> :: there is nothing else mainstream. We'll ride it with flat tires if we have
> :: to.
> :: 
> :: Good luck,
> :: -Polar
> :: 
> ::  On Wed, 6 Sep 2000, Gerald Brose wrote:
> :: 
> :: > Is it possible to set up SSL such that only the client
> :: > is authenticated, i.e. that only clients but not servers
> :: > need to provide certificates? 
> :: > 
> :: > Setting the cipher suite to allow DH_anon does not work
> :: > because in this case the client cannot be authenticated.
> :: > 
> :: > Thanks, Gerald Brose.
> :: > --
> :: > Gerald Brose,                       Mail:       brose@inf.fu-berlin.de
> :: > FU Berlin        (for PGP key see:) http://www.inf.fu-berlin.de/~brose
> :: > Institut f. Informatik              Ph-one:        (++49-30) 838-75112
> :: > Berlin, Germany                     Ph-ax:         (++49-30) 838-75109
> :: > --
> :: > Mailinglist-archive at http://jcewww.iaik.at/mailarchive/iaik-ssl/sslthreads.html
> :: > 
> :: > To unsubscribe send an email to listserv@iaik.at with the folowing content: UNSUBSCRIBE iaik-ssl
> :: >  
> :: > 
> :: 
> :: -------------------------------------------------------------------
> :: Polar Humenn                  Adiron, LLC
> :: mailto:polar@adiron.com       2-212 CST      
> :: Phone: 315-443-3171           Syracuse, NY 13244-4100
> :: Fax:   315-443-4745           http://www.adiron.com
> :: 
> :: --
> :: Mailinglist-archive at http://jcewww.iaik.at/mailarchive/iaik-ssl/sslthreads.html
> :: 
> :: To unsubscribe send an email to listserv@iaik.at with the folowing content: UNSUBSCRIBE iaik-ssl
> ::  
> :: 
> 
> 
> -- 
> Love is special, because everyone can "have" it, without it losing
> its value or diminishing its worth.
> 

-------------------------------------------------------------------
Polar Humenn                  Adiron, LLC
mailto:polar@adiron.com       2-212 CST      
Phone: 315-443-3171           Syracuse, NY 13244-4100
Fax:   315-443-4745           http://www.adiron.com

--
Mailinglist-archive at http://jcewww.iaik.at/mailarchive/iaik-ssl/sslthreads.html

To unsubscribe send an email to listserv@iaik.at with the folowing content: UNSUBSCRIBE iaik-ssl