Anne & Lynn Wheeler wrote: > > At 12:09 PM 10/7/2003 -0700, Eric Rescorla wrote: > >This doesn't provide equivalent services to TLS--no anti-replay > >service for the server. > > KISS ... for the primary business requirement .... the application already > has anti-replay .... TLS ant-replay is then redundant and superfluous.
Well, that is correct, all financial cryptography protocols will have end-to-end replay, and in this sense, the anti-reply of TLS is not needed / gets in the way if one is doing financial stuff. ( I've recently discovered this wierdness in Java where it automatically launches the entire POST again if it sees a problem, thus resulting in two transaction requests. Of course, the protocols pick it up and there is no danger, but I can't figure out how to easily stop the client side telling the user that the transaction had already been done.... ) > yes, it isn't existing TLS .... it is KISS TLS based on primary business > requirement ... as mentioned in original, not on existing specification > for existing implementation > http://www.garlic.com/~lynn/aadsm15.htm#19 You are not being fair, Lynn, you are hijacking the name of TLS, in order to promote a protocol to protect credit cards. What you described was practically nothing to do with TLS/SSL... Such a protocol would be quite useful no doubt, but it has little to do with TLS' design goal of being a full service channel security product. iang --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]