[standards-jig] A few thoughts on JEP 0035

Paul Lloyd paul_lloyd at hp.com
Tue Jul 9 22:11:18 UTC 2002


Hi,

I've been reviewing JEP 0035. On the whole it's very good; it's
a very clean and established way to integrate TLS.

The current draft does raise a few questions, though:

1) There is an asymmetry in the shutdown of the initial <stream:stream>s
described in section 2.3; only the server/host sends a </stream:stream>.
Is there some specific reason that the client/node does not
also close his stream prior to the new stream initialization?

2) <whiny> Would it make more sense to choose a namespace identifier other
than the reference to RFC2595? </whiny>

3) Section 3 is a great companion to the use of SASL presented in JEP 0034.
To make the protocol specification complete, I think some statement needs
to be made about the use of the CertificateRequest message:

   o  is it, as in "vanilla" TLS, strictly a matter of server choice?

   o  or, is there some way for the client to indicate a preference for
      TLS based authn in advance?

I'm fairly neutral, though eager to see this important feature of TLS used.

4) For completeness, are any statements needed about the circumstances
in which the client and server can resume an existing session during
the handshake? Should this simply be one of those "local matters"?

5) For completeness, are any statements needed about the circumstances
in which the client side might want to send a new ClientHello message and 
renegotiate the session's security parameters on the fly? Should this also
simply be one of those "local matters"?

Later,


Paul Lloyd
Infrastructure Strategic Engineering
Strategy and Architecture Leadership Team
voice:          650-236-3704
FAX:            650-236-3632
MSN Messenger:  paul_lloyd at hp.com
paul_lloyd at hp.com



More information about the Standards mailing list