> Richard Sez: > > There's a protocol being touted by Netcape Communications Corportation > (formerly Mosaic Communications Corportation) which is supposedly strong > enough to conduct commerce over. It's description is in a document with > all the RFC-bound trappings, located on http://www.mcom.com/someplace. http://www.mcom.com/info/SSL.htm > I'm not a member of the Brainiac Protocol Busters Club, but the protocol > looks pretty good to me. In lieu of the IETF protocol, has anybody > spotted flaws in the SSL ? It's up and working now, apparently. SSL is a perfectly fine session-level encryption protocol; It layers conceptually on top of TCP and under (ftp, http, whatever) and provides support for a number of different block and stream encryption methods. It does have a few problems: 1> It's yet another standard to do this, and is only implemented currently in netscape. 2> The authentication and encryption are associated with the session/connection, and not with the transported data. this makes it useless when a proxy is involved. 3> It looks like S-HTTP is going to be the standard and not SSL. S-HTTP is also available now. 4> The spec author (kipp@warp.mcom.com) does not seem to have time to help others implement SSL, and there is no mailing list as yet. But, on the other hand, it's a perfectly good design for doing what it does, and it is deployed in the netscape and netsite software. -Rens