[3587] in cryptography@c2.net mail archive
Re: dbts: Lions and TEMPESTs and Black Helicopters (Oh, My!)
daemon@ATHENA.MIT.EDU (Rick Smith)
Wed Nov 4 16:27:26 1998
Date: Wed, 04 Nov 1998 15:09:18 -0600
To: EKR <ekr@rtfm.com>, cryptography@c2.net
From: Rick Smith <rick_smith@securecomputing.com>
In-Reply-To: <kjzpa8znw4.fsf@speedy.rtfm.com>
>Robert Hettinga <rah@shipwright.com> writes:
>> ... using an encrypted link with at least SSL, and, at some point, people
>> will demand much cheaper and faster internet-level encryption ala IPSEC to
>> move their money (and their other bits worth money) around.
At 09:28 AM 11/3/98 -0800, EKR replied:
>Uh... IPSEC _isn't_ faster or cheaper than SSL.
Let me raise another possible problem with substituting IPSEC for SSL --
does anyone *really* have an IPSEC implementation that interfaces as
effectively with secure applications? The conventions of the socket
interface don't provide a way for an application to reach down into the
stack and manage that security association, or even extract the certificate
associated with it. No doubt it could be done with enough elbow grease and
stack hacking, but it doesn't seem to be the direction IPSEC vendors are
going. IPSEC's role seems typecast as a VPN carrier while SSL does the job
when an application needs to manage the crypto association itself.
Rick.
smith@securecomputing.com
"Internet Cryptography" at http://www.visi.com/crypto/
