Rich Salz <[EMAIL PROTECTED]> writes: > > SSLv3 is a defacto, industry standard, devised by the best cryptanalyst > > we have. It is represented only by an expired Internet Draft. TLS is a > > committee effort. You be the judge. > > That is unfair, misleading, and wrong. > > All IETF standards are committee efforts. And with all due respect to > the SSL designers, "best cryptanalyst" seems an honor that (at least) > Rubin, Bellovin, Blaze, Kelsey, Shamir, and their colleagues could all > reasonably lay claim to. Some of them were involved in TLS. Hmm... I was there and I don't recall any of the above being substantially involved in TLS. [0]
That said, TLS and SSLv3 are nearly identical. The differences essentially come down to: (1) A tightening up of the Key Derivation Function (tying it more closely to HMAC) (2) A replacement of the ad hoc (and somewhat broken) MAC used in SSLv3 with HMAC. (3) A truncated MAC for the handshake verify function. (4) Some additional alerts. (5) Some clarifications. (6) A requirement to implement DH/DSS. This is going to be changed in the next draft however. I've certainly heard plenty of arguments that the changes made to TLS were unnecessary (in fact I've made such arguments myself) but I've never heard any even remotely convincing arguments that they render the protocol less secure. In fact, there are some plausible arguments that they render the protocol more secure. The only real debate was whether the rather modest improvements in security were worth the price of incompatibility. Michael, do you have some argument to make the TLS is inferior to SSL? -Ekr [0] There were, however, some relatively well known names there: Hugo Krawczyk, Ran Canetti and Dan Simon come to mind. Schneier even chaired an early rump group meeting. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
