1996-07-01 - Re: secure WWW on UNsecure servers

Header Data

From: “Michael H. Warfield” <mhw@wittsend.com>
To: perry@piermont.com
Message Hash: 0c5f6d3985eff755a44d9cc043b89f925922678a8696987aa65fcf9885a1a306
Message ID: <m0uaUjE-0000uSC@wittsend.com>
Reply To: <199606292310.TAA12274@jekyll.piermont.com>
UTC Datetime: 1996-07-01 07:45:46 UTC
Raw Date: Mon, 1 Jul 1996 15:45:46 +0800

Raw message

From: "Michael H. Warfield" <mhw@wittsend.com>
Date: Mon, 1 Jul 1996 15:45:46 +0800
To: perry@piermont.com
Subject: Re: secure WWW on UNsecure servers
In-Reply-To: <199606292310.TAA12274@jekyll.piermont.com>
Message-ID: <m0uaUjE-0000uSC@wittsend.com>
MIME-Version: 1.0
Content-Type: text/plain


Perry E. Metzger enscribed thusly:
> Joseph Sokol-Margolis writes:
> > > How might one arrange for these encrypted web pages residing on an
> > > (unsecure) server to get decrypted only at the client's machine?
> > > This should work as transparently as possible for the user;
> > > except possibly for a userid/password query it should look like a
> > > normal web browsing session.  For now, we can assume that the
> > > decrypted web pages contain only HTML and images in .gif format.

> > It seems like it could be done by writing a plug-in that passed the
> > encrypted page to pgp (or had it internally) and used that to decrypt it.
> > The plug-in could store  the pass-phrase locally and clear when the user
> > disconnected.

> The "Right Way" to do what was asked is to use S/HTTP. However,
> Netscape, in their wisdom, has not implemented it.

	Uh...  Wait a minute...  The only ones to blame for the dearth
of S/HTTP systems are Tereasa systems and EIT.  While the rest of us have
been working on and developing for SSL those guys have stonewalled and
sat on it.  I know.  You ever try browsing for S/HTTP information.  Most of
the links on their site with any useful information refuse access to anyone
other that EIT members.  We've had a freely available SSL reference
implentation available for ages.  AFAIK they STILL don't have a working
reference implementation.  When they do, you can bet it will be EIT only.
They're so hell bent on keeping total control over it that they now
strangled it to death.  We now have freeware SSLeay and nobody is even
interested in screwing S/HTTP.  Forget that it's a better idea.  The idea
was stillborn because the parents strangled it a birth.

> Perry

	Mike
-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw@WittsEnd.com
  (The Mad Wizard)      |  (770) 925-8248   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!





Thread