From: “Erik E. Fair” (Time Keeper) <fair@clock.org>
To: Rich Salz <rsalz@osf.org>
Message Hash: e26d2299a92fe8f310632ddfd1d5fa5788ac0fbffc6f490a62457f9ff612cbbf
Message ID: <v02110108ac85f664b498@[204.179.132.1]>
Reply To: N/A
UTC Datetime: 1995-09-20 17:09:50 UTC
Raw Date: Wed, 20 Sep 95 10:09:50 PDT
From: "Erik E. Fair" (Time Keeper) <fair@clock.org>
Date: Wed, 20 Sep 95 10:09:50 PDT
To: Rich Salz <rsalz@osf.org>
Subject: Re: Please send me SSL problems...
Message-ID: <v02110108ac85f664b498@[204.179.132.1]>
MIME-Version: 1.0
Content-Type: text/plain
At 9:22 9/20/95, Rich Salz wrote:
>> Jeff, the SSL specification has a severe *architectural* problem - it
>> assumes that Internet Protocols are APIs ...
>> The IETF quite explicitly doesn't care about APIs
>
>With one exception so important that it might blow away your whole
>complaint...
>
>...GSSAPI.
> /r$
And we see how far *that* effort has gotten...
There was some discussion in Toronto last summer about APIs for the basic
transports (i.e. standardizing "sockets", or TLI, or whatever), which got
backed off to a list of "required service elements" that a good stack
vendor should make available to the app programmers, and then the whole
notion got killed off for the reasons I cited.
GSSAPI was an attempt to make it easy to slide in authentication &
encryption into existing software - lay a foundation for real security in
the applications. A fine goal, but a bad plan for achieving the goal. I
think they were also trying to avoid blessing any particular crypto scheme,
to avoid both the export morass, and the patent morass - "we'll drop in
whatever we can get on good terms, later."
API and interface standards are to be avoided in part because of the
reasons I cited previously, in part because they're hard to do right for
all platforms (not everyone uses function-call style system/library calls),
and in part because they do not guarantee you interoperability - classic
case in point is the Microsoft Mail API (MAPI): you can put *anything*
under MAPI: Novell MHS, cc:Mail, QuickMail, or SMTP, just to name a few. If
you are not speaking the same wire protocol as your intended correspondent
(or peer), you lose, regardless of the fact that your software and hers are
both using the same API - you cannot interoperate.
What really annoys me is the fuss you see in the trade rags about
"middleware" these days; they've missed this entire point about interfaces
versus protocols, and they're propagating the misconception that interfaces
give interoperability to the general marketplace. And the vendors are
laughing all the way to the bank.
Erik Fair
Return to September 1995
Return to ““Erik E. Fair” (Time Keeper) <fair@clock.org>”
1995-09-20 (Wed, 20 Sep 95 10:09:50 PDT) - Re: Please send me SSL problems… - “Erik E. Fair” (Time Keeper) <fair@clock.org>