RE: Finding PKIX Servers!

["Phillip M Hallam-Baker" <pbaker@xxxxxxxxxxxx>]

> 	[Andrew Probert]  I am not taking a dig at HTTP, merely stating a
> partitioning example of functionality up into infrastructure, the 
> work's got
> to be done somewhere!

Not if it is make work. The problem with FTP and to a lesser extent 
X.500 DAP is that the model is of a user at a terminal interfacing 
to a database. So the protocol follows the steps the user would take,
first login, then perform a series of transactions, then log out.

> 	Why do you think BIND/UNBIND is unnecessary?  

The authentication handshake need not be separated from the data
request. In general the authentication handshake and a URL will
easilly fit into a packet. Combining the two is much more efficient.

 
> 	[Andrew Probert]  My personal experience is that strong
> authentication has been pushed down into SSL model, then I had to 
> do lots of
> backflips and spend real development $$ to intercept SSL strong
> authentication, encode it as HTTP header vars and pass it back up to my
> applications which were on top of HTTP.  (Live ecommerce site, now doing
> 20,000 transactions per month)

Which is why Eric and myself were integrating strong authentication 
at the transfer/message layer. I still don't believe it is necessary
to waste a round trip delay on a separate BIND operation.

I don't see why an SSL implementation should have difficulty providing
the necessary information to the application. Certainly I am familliar
with several APIs which have provided the necessary information.

> 	[Andrew Probert]  Agree SSL is a good model and does cache access
> control.  However, policy regarding timeouts of SSL sessions and 
> generation
> of new session keys is weak e.g. do I need to re-authentication every 10
> minutes, 1 hour etc, normally a server side setting!

I believe the TLS folk have been addressing this.


		Phill