From: ekr@eit.COM (Eric Rescorla)
To: cypherpunks@toad.com
Message Hash: 1c573ba0afc818fbd3a193f7dba9bcd537e53426e9d788485b43992fae1566cb
Message ID: <9409211529.AA10878@eitech.eit.com>
Reply To: N/A
UTC Datetime: 1994-09-21 15:29:29 UTC
Raw Date: Wed, 21 Sep 94 08:29:29 PDT
From: ekr@eit.COM (Eric Rescorla)
Date: Wed, 21 Sep 94 08:29:29 PDT
To: cypherpunks@toad.com
Subject: Re: HTTP authentication efforts
Message-ID: <9409211529.AA10878@eitech.eit.com>
MIME-Version: 1.0
Content-Type: text/plain
Paul writes:
>Does anyone know, on the off-chance, who is currently working on
>HTTP authentication processes for web browsing and Mosiac?
>Pointers appreciated.
Philip Hallam-Baker at CERN has done some work in this area. The
general name for it appears to be Shen. I don't know what the
status of it is. There is also the original PEM and PGP work
done at NCSA by Rob McCool. I'm given to understand that
MCC has done some work with Kerberos integration. (Microcomputer
and Electronics Corp, or whatever). In addition, I believe that
both Spry and Mosaic Communications Corp have announced that
they have their own security solutions but haven't announced
any technical details...
And.....Shameless plug follows:
Allan Schiffman and I here at EIT have developed an extension
of HTTP called 'Secure HTTP' which provides for end-to-end security
and authentication. (Mainly by recycling a lot of the preexisting
work in cryptographic messaging, particularly PEM and PKCS7).
The protocol is publicly specified and basically consists of
wrapping the entire transaction inside privacy enhanced messages,
using a variety of cryptographic message formats. It also includes
support for systems in which only one party has a public key
pair. [By exchanging an encrypted session key to be used for
the return transaction].
Disclaimer: While there will be some free distribution of the
software based on this protocol, and the protocol is completely
nonproprietary (except, of course, that it uses public key)
EIT (and I) have a financial interest in selling products based
on this technology.
You can get a copy of the current (though slightly outdated)
version of the protocol via:
WWW: http://www.commerce.net/information/standards/drafts/shttp.txt
Email: shttp-info@commerce.net (Automatic response)
Anonymous FTP: ftp.commerce.net/pub/standards/drafts/shttp.txt
The next rev should support (though the released software probably
won't for a while) Diffie-Hellman and Kerberos.
-Ekr
Return to September 1994
Return to “ekr@eit.COM (Eric Rescorla)”
1994-09-21 (Wed, 21 Sep 94 08:29:29 PDT) - Re: HTTP authentication efforts - ekr@eit.COM (Eric Rescorla)