Re: GSS API...

• To: "Roger Masse's the named" <rmasse@cnri.reston.va.us>
• Subject: Re: GSS API...
• From: jeff@spyglass.com (Jeff Hostetler)
• Date: Tue, 16 Aug 94 16:37:12 -0600
• Cc: jeff@fido.spyglass.com, www-security@ns1.rutgers.edu
• In-Reply-To: (Your message of Tue, 16 Aug 94 16:40:05 D.) <9408161640.aa15616@CNRI.Reston.VA.US>

> >> I wrote:
> >> I assume the server sends an encrypted copy of the requested 
> >> document to the client to avoid unauthorized access to the
> >> document via a sniffing attack?
> 
> >Jeff Hostetler writes:
> >I'm not sure I understand what you mean here.
> 
> >In the example, I'm assuming that the document is public-with-copyright
> >(as opposed to a document protected under a need-to-know policy) and
> >that the user is entitled to know of the document's existence and upon
> >payment (or proper kerberos-like authorization) entitled to a clear-text
> >copy of it.
> 
> Transmitted in clear text from Service Provider to client?  Won't
> Service Providers be wary of the clear text packets being sniffed
> by non-token-holding entities?

In my model, the HTTP server still holds the 'authorization-required'
or 'pay-per-view' document, and upon receipt of a valid 'certificate'
will send it to the HTTP client.  Issuance of a valid 'certificate'
comes from an 'authorized authorization/payment service provider'.
(Something like a kerberos server or a bank/credit card server.)
The service providers only issue certificates and confirm/deny
their validity.

jeff

• Re: GSS API...
• From: "Roger Masse's the named" <rmasse@cnri.reston.va.us>

• Previous: Re: GSS API...
• Next: Re: GSS API (as a DLL)...
• Index(es):
  • Index
  • Thread