OBCSCR

• To: crywalt@dev.prodigy.com
• Subject: OBCSCR
• From: rosenthl@mcc.com (Doug Rosenthal)
• Date: Fri, 30 Sep 94 09:57:23 CDT
• Cc: cwf@vodka.sse.att.com, www-buyinfo@allegra.att.com, www-security@ns1.rutgers.edu
• In-Reply-To: crywalt@dev.prodigy.com's message of Thu, 29 Sep 1994 10:23:45 -0400 <199409291423.AA23627@tinman.dev.prodigy.com>
• Reply-To: rosenthl@mcc.com (Doug Rosenthal)

   From: crywalt@dev.prodigy.com
   Date: Thu, 29 Sep 1994 10:23:45 -0400
   Original-From: Chris Rywalt <crywalt@dev.prodigy.com>
   To: cwf@vodka.sse.att.com, www-buyinfo@allegra.att.com
   Subject: RE: OBCSCR
   Cc: crywalt@dev.prodigy.com


   > If there is consensus that this is an interesting idea, I'd like to
   > see if we can mutually develop an OBCSCR not tied to one vendor's
   > proprietary hardware or software.

   I just want to put in my "vote" that this is indeed an interesting idea.  I
	   don't think overloading HTTP will work out well -- it simply wasn't
	   meant for the uses which we're discussing.  One of the beauties of
	   HTTP is that it's relatively simple.  Separating out the security
	   concerns makes sense for all the reasons you list.  Also, it allows
	   different people to set different levels of security, depending on
	   what they trust and personal choice and all.  I think this is very
	   important.

	   Chris.
	   crywalt@tinman.dev.prodigy.com


On a similar note, the IETF CAT WG is investigating the addition of
security mechanism negotiation in the GSSAPI.  This too could provide
a generic means (across applications) of setting up encryption keys,
etc. at the time of user/service I&A.  Being "under" the GSSAPI, the
negotiation would not interfere with the native application protocol.
However, the native application protocol must be extended to at least
indicate whether or not security is required, i.e. to determine
if/when I&A and encrypted transfers are to occur, so the client/server
know when to use the GSS.  Also, the same connection/link would
probably be used to do the security negotiation and subsequent secure
data transfers as the normal (traditional) path (i.e. both secure and
normal traffic over the same physical client/server connection).

Also, I suggest the OBCSCR discussion be sent to the WWW security
email list as well (www-security@ns1.rutgers.edu, which I've included
on this message). 

- Doug

Doug Rosenthal
MCC EINet                    |  Email: rosenthal@mcc.com
3500 W. Balcones Center Dr.  |  Voice: 512-338-3515
Austin, TX USA 78759         |  Fax:   512-338-3897

• Re: OBCSCR
• From: hallam@dxal18.cern.ch

• From:

• Previous: Re: what are realistic threats?
• Next: Re: The ultimate in trust
• Index(es):
  • Index
  • Thread