S-HTTP and symmetric key encryption

• To: michael.shiplett@umich.edu
• Subject: S-HTTP and symmetric key encryption
• From: ams@eit.com (Allan M Schiffman)
• Date: Fri, 22 Jul 94 18:22:34 PDT
• Cc: www-security@ns1.rutgers.edu

Michael,

>   The S-HTTP proposal is rather weak wrt symmetric key encryption. I'm
> interested any leads on Kerberized HTTP as we have a Kerberos database
> of 60,000+ users which includes most of the people (students, faculty,
> and staff) at the University of Michigan. Handing out public key pairs
> to all these users will be difficult and we need a secured HTTP now,
> so much of the S-HTTP paper--while very good for a public key
> environment--is inapplicable here.

You're quite correct that the current S-HTTP spec is very PKC oriented,
because we were mainly concerned with trust boundary-crossing spontaneous
transactions.

The next revision of the spec includes much more through-going support of
symmetric key transactions, including support for externally arranged
keys and Kerberos-based key distribution. This may be more suitable
for deployment in closed user communities.

I should also say, however, that our reference implementation of Secure
NCSA Mosaic has the ability to generate key pairs (and "certificate signing
requests"). So using PKC in your university context might not be as hard
as you think!

-Allan

• Previous: www-security hyper-archive available
• Next: FAQ existence?
• Index(es):
  • Index
  • Thread