On 5/15/06, Victor Duchovni <[EMAIL PROTECTED]> wrote:
On Sun, May 14, 2006 at 05:29:30PM -0700, Kyle Hamilton wrote:
> as has been mentioned before, premature
> optimization is the root of all evil. Write the code, determine the
> bottlenecks with a profiler, and optimize them. Most of the time
> you'll find the bottlenecks aren't in the SSL/TLS layer at all.
One does however need to somehow find the right security framework for
the application, not so much based on performance guesses, but based on
suitability of the framework to the target environment and threat model.
Here, one needs to compare Kerberos (used directly or via SASL), with
OpenSSL. Kerberos is a better fit *within* organizations, provided
the organization is prepared to field some KDCs and enroll all the
required principals. TLS with X.509 is typically more suitable in
inter-organizational deployments.
The real security of the system is much more dependent on how it is
administered than the underlying technology (barring serious technical
errors). The primary selection criterion is finding a good fit for the
real-life processes the users will engage in.
this is going into a new PBX so it in the first step is it more like
an independent box without dependence on Kerberos. I'm gonna
issue certificates for all nodes and use those to authenticate
inter-service connections. With TLS I then can also encrypt the
complete traffic. Moreover for some reason the ppl on sci.crypt
told me to use TLS in EDH (ephemeral DH mode) vs RSA mode.
IIRC this is about the initial connection/auth key-exchange phase
setup phase and I still use X.509 certs to do the final servic2service
authentication before the encrypted channel is up and running.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
