> I'm not very experienced programming with SSL, but I'm heavily > researching the concepts at this stage, I'm a bit skeptical to > say the least of the cost/benefits of this. > > I sure would appreciate if someone could tell me if this is a bad > idea and why, the more I know now at this time the better. > > David
I think it's a bad idea. SSL and SSH are well-tested and well-understood. Any combination of them that you make would not have either of these properties. Further, if any vulnerabilities appear in either of these protocols, the blame will be shared across the designers, validators, and implementers of these protocols. On the flip side, if you implement your own combined protocol, you are going it alone. If the upper protocol is made less secure by the change in the protocol beneath it (which *can* happen), it will be all your fault and all your problem. Since you don't sound comfortable validating this approach yourself, someone qualified to validate a cryptographic system needs to do it. SSL and SSH are already well-understood and the circumstances in which they work correct (and how they can break if you screw something up) are at least largely understood. I can think of a few ways this could actually result in much less security. Most of them would require some bone-headedness on the part of the implementation. Unfortunately, the things I can't think of will screw you as badly as the things I can. DS ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
