 |
 |
 |
 |
|
 |
|
 |
|
 |
|
 |
|
|
|
|
|
|
|
|
|
|
|
|
At 5:23 PM -0500 11/2/09, Rob Austein wrote:
... I think we are talking slightly past each other, and have been on this topic all along. I said "HTTP", you seem to have read "TLS".
What Russ and I proposed was TLS, so that's why I am talking about TLS. I'm not sure when the suggestion to use TLS was translated into HTTPS.
... Remember that the reason we were originally told to use TLS here was replay protection. I know you keep saying server protection, but that's not how we originally got here. I'm not seeing much replay protection in what we've implemented to date, which concerns me, as we added a fairly heavyweight mechanism that as far as I can tell has not solved the original problem.
My recollection differs somewhat. I think what Russ and I suggested was using TLS to enable session-level protection, which includes two-way authentication at the time of session creation (as an input to access control for the server), session integrity (i.e., dropped or re-ordered packets are detectable), and session authentication (i.e., all packets belonging to the same session are verified as such). Anti-replay at the session level and within a session are two facets of this protection suite.
Steve