1995-08-24 - Re: Crypto DLL’s/SSLeay 0.4.5

Header Data

From: “Perry E. Metzger” <perry@piermont.com>
To: Eric Young <eay@mincom.oz.au>
Message Hash: 37fc7d61c2456c66c26f8bc2bc8328a39748a1268b89a3b4ec6756035bf22cae
Message ID: <199508241311.JAA13033@frankenstein.piermont.com>
Reply To: <Pine.SOL.3.91.950824215822.9077D-100000@orb>
UTC Datetime: 1995-08-24 13:11:58 UTC
Raw Date: Thu, 24 Aug 95 06:11:58 PDT

Raw message

From: "Perry E. Metzger" <perry@piermont.com>
Date: Thu, 24 Aug 95 06:11:58 PDT
To: Eric Young <eay@mincom.oz.au>
Subject: Re: Crypto DLL's/SSLeay 0.4.5
In-Reply-To: <Pine.SOL.3.91.950824215822.9077D-100000@orb>
Message-ID: <199508241311.JAA13033@frankenstein.piermont.com>
MIME-Version: 1.0
Content-Type: text/plain



Eric Young writes:
> On the PGPphone issue, I Personally I feel SSLphone would be a much 
> better way of doing things.

Oh, yeah? No user certificates, no way to verify whats on the other
end. No assurances that you aren't being tricked into using a weak
algorithm because negotiation doesn't take place under cover of
signature. Lots of little potential cracks. Thanks, but no thanks.

This is not to slight your code. I'm slighting the protocol.

If folks want to secure links, stick to clean protocols to do the key
negotiation. I'm a fan of variants of STS myself, Photuris being a
biggie.

> For phone over modem, authentication is not really required

And why is that?

Perry





Thread