From: michael shiplett <michael.shiplett@umich.edu>
Date: Sat, 25 Jun 94 02:47:04 PDT
To: Vincent.Cate@FURMINT.NECTAR.CS.CMU.EDU
Subject: Re: Secure Mosaic / Net surfing
In-Reply-To: <772527133/vac@FURMINT.NECTAR.CS.CMU.EDU>
Message-ID: <199406250946.FAA16762@totalrecall.rs.itd.umich.edu>
MIME-Version: 1.0
Content-Type: text/plain


"vc" == Vincent Cate <Vincent.Cate@FURMINT.NECTAR.CS.CMU.EDU> writes:

vc> I was surfing off the edges of my page and came across a page
vc> about secure http/mosaic. The page is:

vc>      http://hoohoo.ncsa.uiuc.edu/docs/PEMPGP.html

  This is not the SHTTP work being done for CommerceNet--it is more a
proof of concept for doing PK encryption of HTTP requests. It has a few
shortcomings:
  1) The server identity is passed over an insecure connection without
     any way for the client to verify it.
  2) The server's public key are obtained via finger.
  3) Requests are subject to replay attacks.

  To be fair, the document mentions (2) & (3).

  There are, at least, a couple projects adding security to
HTTP--Shen Security Enhancements to HTTP and Secure HTTP.

The former may be found at
    http://info.cern.ch/hypertext/WWW/Shen/ref/shen.html

while SHTTP is available as
    WWW   http://www.commerce.net/information/standards/drafts/shttp.txt
    Email shttp-info@commerce.net
    FTP   ftp://ftp.commerce.net/pub/standards/drafts/shttp.txt

  I do not know if the differences between the two have been resolved
so that there is a single proposal for secure web transactions.

michael