Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!sdd.hp.com!elroy.jpl.nasa.gov!decwrl!ucbvax!TIS.COM!galvin
From: galvin@TIS.COM (James M Galvin)
Newsgroups: comp.protocols.iso.dev-environ
Subject: Re: The innards of the FTAM implementation
Message-ID: <9102151442.AA24762@TIS.COM>
Date: 15 Feb 91 14:42:03 GMT
References: <9102121539.AA21283@rhino.ncsl.nist.gov>
Sender: usenet@ucbvax.BERKELEY.EDU
Reply-To: James M Galvin <galvin@TIS.COM>
Distribution: inet
Organization: The Internet
Lines: 19


	In practice, organizations do not want nor need to encrypt the OSI
	protocol structure itself, but merely the data they are using the
	protocols to transmit.  In the case of Ciaran's FTAM, it would seem
	more sensible to encrypt the application user data in the
	application layer, then all protocol control info remains intact and
	the worst that can happen is that the FTAM implementation at the
	receiving end produces a file which looks like garbage because it
	didn't know the file data was encrypted.

This model of the placement of security services is valid, but your message
suggests it is the preferred placement.  In fact, the placement of security
services is entirely dependent on the perceived threats.  For example, if
traffic analysis is a threat, this placement is not appropriate.

I am not sure this is an appropriate discussion for this list, but I would
be happy to discuss this further privately.

Jim