[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: Security - coordination with MSH issues
Chris, Here is what RFC 2246 has to say about the relationship to SSL 3.0. This is from the "goals of this document" section. The differences between this protocol and SSL 3.0 are not dramatic, but they are significant enough that TLS 1.0 and SSL 3.0 do not interoperate (although TLS 1.0 does incorporate a mechanism by which a TLS implementation can back down to SSL 3.0). To me this suggests that there MIGHT be differences in how SSL 3.0 and TLS 1.0 properties would be expressed in the CPP and CPA. In addition, any new function in TLS, such as Kerberos, would probably have to be expressed in the CPP/CPA only for use with TLS (and not SSL). Regards, Marty ************************************************************************************* Martin W. Sachs IBM T. J. Watson Research Center P. O. B. 704 Yorktown Hts, NY 10598 914-784-7287; IBM tie line 863-7287 Notes address: Martin W Sachs/Watson/IBM Internet address: mwsachs @ us.ibm.com ************************************************************************************* christopher ferris <chris.ferris@east.sun.com>@Sun.COM on 08/29/2001 02:43:40 PM Sent by: Chris.Ferris@Sun.COM To: Martin W Sachs/Watson/IBM@IBMUS cc: "Collier, Timothy R" <timothy.r.collier@intel.com>, "'ebxml-cppa@lists.oasis-open.org'" <ebxml-cppa@lists.oasis-open.org> Subject: Re: Security - coordination with MSH issues Marty, Given that TLS is effectively derived from SSLv3, what specific differences had you in mind? TLS adds support for Kerberos and a few other bits, but it is largely the same is it not? Cheers, Chris Martin W Sachs wrote: > > Tim, > > This is a good list. I do have a few comments: > > TLS 1.0 has the status of PROPOSED STANDARD. I think it's time that CPA > and MSG explicitly support TLS 1.0 as an alternative to SSL 3.0 (probably > in V2.0). That would mean providing the necessary elements and attributes > to support it properly. Since it is not directly interoperably with SSL > 3.0, the element structure might be different from the element structure > for SSL 3.0. We would also have to think about whether the SSL > interoperability option in TLS would need its own supprt in the CPA or > could be implied by the use of the SSL elements. > > The following are probably needed but don't seem to have security > implications except that some might figure in any new packaging definition: > > 1.3 Support for large messages using HTTP Compress function > 1.4 Provide Multicast support > 2.6 Transport Compression (is this the same as 1.3?) > > Regards, > Marty > > ************************************************************************************* > > Martin W. Sachs > IBM T. J. Watson Research Center > P. O. B. 704 > Yorktown Hts, NY 10598 > 914-784-7287; IBM tie line 863-7287 > Notes address: Martin W Sachs/Watson/IBM > Internet address: mwsachs @ us.ibm.com > ************************************************************************************* > > "Collier, Timothy R" <timothy.r.collier@intel.com> on 08/27/2001 07:07:06 > PM > > To: "'ebxml-cppa@lists.oasis-open.org'" <ebxml-cppa@lists.oasis-open.org> > cc: > Subject: Security - coordination with MSH issues > > All, > > I have started a listing of the security specific issues that seem > to need further discussion with the MSH team. The issues from the MSH > perspective are from their latest issues list (thanks Marty), and our > issues > are currently just headers that are there to reflect my assumptions on what > needs MSH co-discussion. Please add to the list and when we get close to > the Oct F2F, and it is filled in, I would like to send it to the MSH team. > One of the biggest things, I think, is to make sure that what gets > worked on in V1.1 in both MSH and CPPA is consistent. It would be bad if > one adds something that is not supported by the other. > > Tim > > <<Security MSH+CPPA.ZIP>> > > ---------------------------------------------------------------- > To subscribe or unsubscribe from this elist use the subscription > manager: <http://lists.oasis-open.org/ob/adm.pl> ---------------------------------------------------------------- To subscribe or unsubscribe from this elist use the subscription manager: <http://lists.oasis-open.org/ob/adm.pl>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC