[Esapi-user] [Esapi-dev] Why ESAPI crypto uses a custom serialization scheme

Kevin W. Wall kevin.w.wall at gmail.com
Sat May 1 12:51:16 EDT 2010


Jim Manico wrote:
> One other requirement on my end - TLS connections only. Better? This
> entire mechanism seems to work great on modern browsers.  Heck - even
> ie6 plays well with JS crypto libs albiet slower that chrome+FF.

This again goes back to the threat model. TLS connections certainly
make things a lot easier. But OTOH, if the rest of the crypto is
done correctly, that ciphertext can be sent securely over even
insecure data comm channels. (That is generally the whole point.)
So, it is in part redundant.  With things like web services, what
is really important is END-to-END confidentiality / authenticity.
TLS only gives you that POINT-to-POINT. So that's why you see
things like WS-Security. They are MUCH more complicated to use
because it pushes back many of the crypto security decisions to
the end application developers. And I think that's a scary proposition
because most of them are frankly not qualified to make such decisions.
But (for example) if you use WS-Security correctly, then using TLS
is superfluous. It's just that it's soooo much easier to use TLS
correctly, so if you are a belt-and-suspenders man and believe in
security-in-depth, use both.

Just my opinion FWIW,
-kevin
-- 
Kevin W. Wall
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We cause accidents."        -- Nathaniel Borenstein, co-creator of MIME


More information about the Esapi-user mailing list