Transport Layer Security (TLS)

Secure-stream protocol

X.509 PKI-centric, though extensible

Data-stream protection

server authentication, optional client authentication

Transparent to app layer?

No standard TLS API

App needs to know if TLS is in use

How does authentication info get to app?

TLS state machine vs app-protocol authn state machine

In-band negotiation of TLS vs separate foo-over-TLS port

In-band preserves endpoint = host+port architecture

Client must check server identity ...

But what is a server identity?

rlmorgan@ washington.edu	[next \| top]
BLOCKS BoF, IETF 47, March 2000