[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: HTTP security



> This seems a very relevant criticism:  Has Amanda, or anyone else 
> proposed an extension to HTML that would incorporate such things? 

Actually, it's not an extension to HTML, but to MIME (whose formats HTTP uses 
top tag and label data), and it just went to Proposed Standard (the last step 
before Internet Standard).  The MIME multipart/signed and multipart/encrypted 
body parts allow anything using MIME encapsulation to sign and/or encrypt 
arbitrary body parts.  Since it's at the document layer, it requires no 
special transport software, works with existing proxies and caching servers, 
and allows secure HTTP software to share code with secure email software 
(since it would use exactly the same formats).  The framework is general 
enough to allow use with either PEM-compliant signatures and encryption or 
others (such as PGP).  I believe that can also be used with symmetric key 
management, which could be useful for special purpose applications.

EInet's secure SHTTP proposal is also an end-to-end security framework.


Amanda Walker
InterCon Systems Corporation