From mboxrd@z Thu Jan 1 00:00:00 1970 Message-ID: Date: Sun, 3 Apr 2005 19:20:05 -0400 From: Russ Cox To: Fans of the OS Plan 9 from Bell Labs <9fans@cse.psu.edu> Subject: Re: [9fans] Secure ftp Again In-Reply-To: <186925c4b8718cb5e5e1ce8747f78ce2@collyer.net> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit References: <4cb3ee21139d0d7c5ca19ed46c45dd95@proxima.alt.za> <186925c4b8718cb5e5e1ce8747f78ce2@collyer.net> Topicbox-Message-UUID: 3230cb94-ead0-11e9-9d60-3106f5b1d025 > If one were going to add TLS dialing as a standard facility, I'd > suggest adding it to cs, not dial, perhaps as a qualifier similar to > "!r": tcp!host!ftp!tls. This would make TLS dialing available > uniformly and immediately to all programs, without recompilation, and > even to command-line usage. since icann has deprecated having separate "automatically start tls after connecting" tcp ports for services, tweaking any of these is not very useful. for example (and this was my point earlier, which i did not make very clearly) in ftp you have to send an "AUTH TLS" and have the server send back a success response before you start tls. other protocols have similar protocol-specific negotiation phases. also, adding it to cs requires having /net/tcp understand the !tls qualifier (cs just passes !r into the tcp dial string), which would mean having the gory public-key certificate etc. part of tls in the kernel (or in a separate user-space network stack). russ