[foaf-protocols] SSL book citation

Peter Williams home_pw at msn.com
Sat Jan 22 20:24:56 CET 2011

Ok, So yes! I do recommend it, of several choices folks have.
It has an sublte editorial running through its explanations, which I find liberates the reader and allows one to look at SSL as a tool. Exactly as it is today or tomorrow is only a profile, and that profile can change. There is nothing set in stone, and IETF's motivations for their current profiles may not fit with what is desired or needed here. But, SSL is flexible. From the outset, its use in nntps was VERY different to its use in https. Neither use of SSL made the assumptions that IETF made/make when attempting to harmonize SSl as "TLS" - to make the web fit closely with the internet security architecture (which makes certain internet-centric assumptions about the crypto roles of people, hosts and routers).
For example, I love the footnote on page 110 which itself makes the book worth $60. We may not wish to retain this restriction (that only authenticated servers can solicit webids). We may wish to allow ephemerally-keyed server authentication, in some use cases.
Not sure Nathan realized what he was doing, but he touched on two topics dear to my heart (both older miltiary-era "investements" to be taken off the "refuse/oblivion" shelf, that can be pulled back off and re-purposed):
1. sequential handshakes, once used to impose miltiary-relevant export controls; now available for composing channels and addressing speaks-for logical relations more generally than export controls.
2. ephemeral keying using DH-like ciphers, exploiting NSA's KEA processes that work with block ciphers providing their own  class of trapdoors, allowing for better handshake design than that afforded by the classical RSA ciphersuite. (KEA was de-classified a while ago).
The book shows some limits of the author as it doesnt relate SSL's own history to the wider social story of crypto, now released from secrecy rules. But, I think its fine to get one beyond the simplications of SSL 101, from all the usual sources.
> Subject: Re: [foaf-protocols] SSL book citation
> From: henry.story at bblfish.net
> Date: Sat, 22 Jan 2011 19:55:48 +0100
> CC: foaf-protocols at lists.foaf-project.org; public-xg-webid at w3.org
> To: home_pw at msn.com
> Thanks. That is a very useful link. Is "SSL and TLS: Theory and Practice" a book you would
> recommend buying? It was published 2009 it seems so it should be quite up to date.
> If we have something like this we can reference together, then that should help us make
> sure we are mostly on the same page when it comes to acronyms and others things of which 
> there are many.
> Henry
> On 22 Jan 2011, at 19:33, Peter Williams wrote:
> > http://books.google.com/books?id=dR2G0oPufe0C&pg=PA106&lpg=PA106&dq=SGC+handshake&source=bl&ots=UmKiSoYog3&sig=QkU80UAqMa9GVHK9IB5X9PMmaMc&hl=en&ei=vzY6TYvzNY3EsAPQtOX8Ag&sa=X&oi=book_result&ct=result&resnum=4&ved=0CCcQ6AEwAw#v=onepage&q=SGC%20handshake&f=false
> > 
> > some elements of the book on SSL are available for public browsing, see above. Reading this kind of material can get you beyond elementary understanding of SSL handshakes.
> > 
> > The topic I chose explains sequential handshakes, from two different camps: Netscape's international-step-up and the VeriSign-influenced Microsoft SGC (server-gated crypto). By studying these two examples of handshake composition, you can start to see what properties result from the design differences.
> > 
> > 
> > _______________________________________________
> > foaf-protocols mailing list
> > foaf-protocols at lists.foaf-project.org
> > http://lists.foaf-project.org/mailman/listinfo/foaf-protocols
> Social Web Architect
> http://bblfish.net/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.foaf-project.org/pipermail/foaf-protocols/attachments/20110122/82cf56bd/attachment.htm 

More information about the foaf-protocols mailing list