1995-09-20 - Re: Please send me SSL problems…

Header Data

From: hallam@w3.org
To: cypherpunks@toad.com
Message Hash: b6cd0f39a1f26903168b60d07837c18786aabd1409d9b4453d7935f6bedaa5b8
Message ID: <9509201937.AA00765@zorch.w3.org>
Reply To: <v02110104ac85a804545b@[204.179.132.1]>
UTC Datetime: 1995-09-20 19:37:53 UTC
Raw Date: Wed, 20 Sep 95 12:37:53 PDT

Raw message

From: hallam@w3.org
Date: Wed, 20 Sep 95 12:37:53 PDT
To: cypherpunks@toad.com
Subject: Re: Please send me SSL problems...
In-Reply-To: <v02110104ac85a804545b@[204.179.132.1]>
Message-ID: <9509201937.AA00765@zorch.w3.org>
MIME-Version: 1.0
Content-Type: text/plain



>Jeff, the SSL specification has a severe *architectural* problem - it
>assumes that Internet Protocols are APIs - interface standards, and that
>you can just slide a "layer" underneath without anyone noticing. Such is
>not the case - all the Internet Protocols are real protocol standards, in
>that they specify the syntax, order, and semantics of the actual bits on
>the wire. The IETF quite explicitly doesn't care about APIs - that's a host
>software issue, and it doesn't matter what the host software looks like (or
>even what the machine looks like), so long as it gets the bits on the wire
>right, according to the protocol spec. This is how the Internet can make
>very strong guarantees about interoperability.

I agree with parts of this and disagree with other parts. 

The IETF does not as a whole care about APIs. The one exception being the GSS 
API which appears to be intended as a means of cicumventing ITAR. Nobody asked 
me about GSS API but a lot of people have assumed that because it comes from the 
IETF it should be the basis for the Web security protocols. I'm affraid that I 
can't see any real connection between the GSS view of the world and my own. 
Hence I find that API more of a hinderance (having to explain why not to use it) 
rather than a help.

The specific criticism of SSL, that it is layer replacement highlights a 
fundamental error made by many IETF people. The purpose of a layered protocol 
model is precisely to permit the underlying layers to be altered without 
affecting the upper layers. NNTP runs very happily on either TCP/IP or on DECnet 
for example.

Where I think SSL went wrong was in the approach taken to URLs. Rather than 
define HTTPS://foo.com/ it should specify a new transport HTTP://foo.com:80:SSL/
I think the blame for that mess should be laid at another door however. 
Basically the URI working group should have understood this issue and defined a 
syntax for handling both SSL like objects and also DECNET, ATM. This would fit 
much better with the idea of SSL as being a wrapper for an arbitrary protocol.


I think its worth pointing out that the people working at Netscape now are a 
rather different bunch to the original team.


		Phill




Thread