[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: HTTP authentication efforts

To: [email protected]
Subject: Re: HTTP authentication efforts
From: [email protected] (Eric Rescorla)
Date: Wed, 21 Sep 94 08:29:02 PDT
Cc: [email protected]
Sender: [email protected]

Paul writes:
>Does anyone know, on the off-chance, who is currently working on
>HTTP authentication processes for web browsing and Mosiac?

>Pointers appreciated.

Philip Hallam-Baker at CERN has done some work in this area. The
general name for it appears to be Shen. I don't know what the
status of it is. There is also the original PEM and PGP work
done at NCSA by Rob McCool. I'm given to understand that
MCC has done some work with Kerberos integration. (Microcomputer
and Electronics Corp, or whatever). In addition, I believe that
both Spry and Mosaic Communications Corp have announced that
they have their own security solutions but haven't announced
any technical details...

And.....Shameless plug follows:
Allan Schiffman and I here at EIT have developed an extension
of HTTP called 'Secure HTTP' which provides for end-to-end security
and authentication. (Mainly by recycling a lot of the preexisting
work in cryptographic messaging, particularly PEM and PKCS7).

The protocol is publicly specified and basically consists of
wrapping the entire transaction inside privacy enhanced messages,
using a variety of cryptographic message formats. It also includes
support for systems in which only one party has a public key
pair. [By exchanging an encrypted session key to be used for
the return transaction].

Disclaimer: While there will be some free distribution of the
software based on this protocol, and the protocol is completely
nonproprietary (except, of course, that it uses public key)
EIT (and I) have a financial interest in selling products based
on this technology. 

You can get a copy of the current (though slightly outdated)
version of the protocol via:

  WWW: http://www.commerce.net/information/standards/drafts/shttp.txt
  Email: [email protected] (Automatic response)
  Anonymous FTP: ftp.commerce.net/pub/standards/drafts/shttp.txt

The next rev should support (though the released software probably
won't for a while) Diffie-Hellman and Kerberos.

-Ekr

Prev by Date: Re: Laws Outside the U.S.
Next by Date: international escrow and things
Prev by thread: HTTP authentication efforts
Next by thread: Re: Virtual Assassins & lethal remailers
Index(es):
- Date
- Thread