Please send me SSL problems...
Erik E. Fair (Time Keeper)
fair at clock.org
Wed Sep 20 10:09:50 PDT 1995
At 9:22 9/20/95, Rich Salz wrote:
>> Jeff, the SSL specification has a severe *architectural* problem - it
>> assumes that Internet Protocols are APIs ...
>> The IETF quite explicitly doesn't care about APIs
>
>With one exception so important that it might blow away your whole
>complaint...
>
>...GSSAPI.
> /r$
And we see how far *that* effort has gotten...
There was some discussion in Toronto last summer about APIs for the basic
transports (i.e. standardizing "sockets", or TLI, or whatever), which got
backed off to a list of "required service elements" that a good stack
vendor should make available to the app programmers, and then the whole
notion got killed off for the reasons I cited.
GSSAPI was an attempt to make it easy to slide in authentication &
encryption into existing software - lay a foundation for real security in
the applications. A fine goal, but a bad plan for achieving the goal. I
think they were also trying to avoid blessing any particular crypto scheme,
to avoid both the export morass, and the patent morass - "we'll drop in
whatever we can get on good terms, later."
API and interface standards are to be avoided in part because of the
reasons I cited previously, in part because they're hard to do right for
all platforms (not everyone uses function-call style system/library calls),
and in part because they do not guarantee you interoperability - classic
case in point is the Microsoft Mail API (MAPI): you can put *anything*
under MAPI: Novell MHS, cc:Mail, QuickMail, or SMTP, just to name a few. If
you are not speaking the same wire protocol as your intended correspondent
(or peer), you lose, regardless of the fact that your software and hers are
both using the same API - you cannot interoperate.
What really annoys me is the fuss you see in the trade rags about
"middleware" these days; they've missed this entire point about interfaces
versus protocols, and they're propagating the misconception that interfaces
give interoperability to the general marketplace. And the vendors are
laughing all the way to the bank.
Erik Fair
More information about the cypherpunks-legacy
mailing list