"Marcus J. Ranum" wrote:
>
> Does anyone have a pointer to why the session ID in SSLV3 is
> in the clear, rather than encrypted? I'm sure there's a good
> reason for it (audit? logging? other...?) but I'm trying to
> pin down exactly why it was done that way. Can anyone point
> me in the right direction?
Because the session ID is used to restore the shared cryptographic
environment, for performance reasons. Hence it has to be in the clear.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html
"My grandfather once told me that there are two kinds of people: those
who work and those who take the credit. He told me to try to be in the
first group; there was less competition there."
- Indira Gandhi