At Mon, 2 Nov 2009 17:56:39 -0500, Steve Kent wrote:
>I think we are talking slightly past each other, and have been on this
>topic all along. I said "HTTP", you seem to have read "TLS".
What Russ and I proposed was TLS, so that's why I am talking about TLS.
I'm not sure when the suggestion to use TLS was translated into HTTPS.
The protocol you reviewed back in 2007 was already running over HTTP,
so when you started talking about TLS, everybody interpreted it in the
context of the existing HTTP-based protocol and heard it as HTTPS.
..
I assume you mean PDUs throughout here, not IP packets. Your
description makes some sense, but is not what I think we heard at the
time. I think you're more concerned about channel-level access
control here than I am (as I said to Terry, the access control I care
about all hinges on the CMS signatures). It is of course possible
that you're right about this and I'm wrong. In any case, I agree that
if we had done what you describe here, replay protection would have
fallen out of it as one of the consequences.
