Re: [Vrs-development] Re: [DotGNU]VRS architecture docs

[Chris Smith]

On Tuesday 12 February 2002 00:07, Bill Lance wrote:
> SSL has been mentioned.  One question is can SSL deal
> with so many simultanious connections.  Each node
> needs to communication with all other nodes.  Anyone
> know?

SSL is just a layer on top of sockets/fd.  It also has bio_* support for 
general block IO over streams etc.  If you've got comms over several fd's and 
you place SSL in front of each one, you'll end up with several encrypted 
comms channels.

You don't need to think about SSL being there - it's transparent - you need 
to keep an eye on performance though and use tricks like session resumption 
etc, but you can hide that away too.

SSL can sit between you and the file system too.
Open a file
Transfer data to and from that file via the SSL layer/Bio
Close the file.

The filesystem hierarchy remains un-encrypted though.

The problem with all encryption schemes is that certificates/keys need to be 
stored on the machine somewhere.  Even in memory they're vunerable - a single 
core dump can ruin the security of an entire system, and you've got to get 
them into memory every time the system starts... which is usually from disk!

I think it's going to boil down to 'if you give root away, resign and move to 
Alaska'.

-- 
Chris Smith

address@hidden
"I used up all my sick days - so I phoned in dead."