Rich Salz wrote: > > > SSLv3 is a defacto, industry standard, devised by the best cryptanalyst > > we have. It is represented only by an expired Internet Draft. TLS is a > > committee effort. You be the judge. > > That is unfair, misleading, and wrong.
Well, maybe unfair, but I think it's a fact ;-) I mean to say: don't underestimate the power of Internet Drafts. Internet Standards used to be more impressive. Anyway, I included references and did invite the reader to judge for himself. > All IETF standards are committee efforts. And with all due respect to > the SSL designers, "best cryptanalyst" seems an honor that (at least) > Rubin, Bellovin, Blaze, Kelsey, Shamir, and their colleagues could all > reasonably lay claim to. Some of them were involved in TLS. And I'd add Don Coppersmith, Bob Silverman, Daniel Bleichenbacher, etc. I really was just experiencing momentary flatulence. Maybe I'm still suffering from the mind-numbing PKIX experience. > I'm surprised to see this post coming from you, Michael -- someone been > tapping while you were out Starbucking or some such? :) I suspect my lack of caffeine rather than surfeit. I was trying to be funny, but "while I commanded an exceedingly fine racehorse to come forth, I only summoned a lame tortoise." Occasionally I find that I'm not as witty as I thought. I really do wish that web servers and browsers would implement TLS, and I could use those extra nifty cipher suites. ;-) I think I could have come up with TLS starting with SSLv3 -- I think the significant contribution was SSLv2 -> SSLv3. Just my $0.02, adjusted for inflation. Of course, I take a rebuke from /r$ seriously, normally I just ignore people when they point out my stupidities. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]