Re: Req for HTTP Sec questions

• To: www-security@ns2.rutgers.edu (www-security)
• Subject: Re: Req for HTTP Sec questions
• From: Jorge Paulo Ferreira Simao <jsimao@fct.unl.pt>
• Date: Fri, 2 Jun 1995 19:45:19 +0200 (MET DST)
• In-Reply-To: <9505171428.AA01613@link.osf.org> from "Mary Ellen Zurko" at May 17, 95 10:28:28 am

> I'm sorry it's taken me so long to share my questions about the
> HTTPSec internet draft. Answers are appreciated.

	I follow the same thoughts. There are many points in the draft which
should be recast...

> > It is envisioned that HTTPSec may
> >     coexist in a single transaction with such mechanisms, each
> >     providing security services at the appropriate level, with at
> >     worst some redundancy of service.

	You don't really beleive that is realistic to implement redundate
security services at application level, when you have already a secure
trasport channel?
	I really beleive that is possibly to implement almost security
services idependently of the application protocol. People should be giving
more attencion to things like GSS.


> >     To allow user privacy, HTTPSec must support service
> >     authentication without user authentication.

> Isn't this a problem for Kerberos (a pretty popular distributed
> authentication server :-)? My understanding is that authentication in
> Kerberos is always mutual; the client has to authenticate for the
> server to authenticate. If you said "should" instead of "must", that
> wouldn't be a problem. I think DCE 1.1 can satisfy at least the spirit
> of this requirement, since it has an anonymous identity that can be
> used for authentication. However, it would be better if the wording
> made clear that that sort of thing was sufficient.

	I think that the stance of the draft, is to specify what an ideal
implementation should be. That doesn't mean that all implementations, in all
modes of operation, should follow exactly what thee draft says.


	What about non-repudiation?
	Should that service be suported by HTTP, or an underlying security
layer, or not?
	People say that S-HTTP is better than SSL, because S-HHTP supports
documment non-repudiation. I don't se why that can't be put also at the
"transport" layer (application layer?!?).

	I really belive that the draft on HTTPSec is unsound with the draft
on SDTPs. (Kill me, on this!)


	Best, Jorge Simao.

-- 
_________________________________________________________________
|       /		       /    e-mail: jsimao@fct.unl.pt   |
|      /   _/_/_/    _/_/_/   /     (MIME messages accepted)    |
|     /	      _/   _/	     /   Jorge Paulo Ferreira Simao     |
|    /	     _/   _/_/_/    /    MSc Student at		        |
|   /	_/  _/        _/   /     Universidade Nova de Lisboa    |
|  /	_/_/    _/_/_/    /      F.C.T. - Dpt Informatica       |
| /______________________/       2825 Monte Caparica - PORTUGAL |
|                                                               |
| URL: http://sasc.di.fct.unl.pt/people/jsimao                  |
|      (look there for my PGP public key, or use,               |
|       finger jsimao@stimpy.di.fct.unl.pt)                     |
|_______________________________________________________________|

• Re: Req for HTTP Sec questions
• From: zurko@osf.org (Mary Ellen Zurko)
• Re: Req for HTTP Sec questions
• From: "\\Steven C. Dabbs" <sdabbs@netcom.com>

• Req for HTTP Sec questions
• From: zurko@osf.org (Mary Ellen Zurko)

• Previous: Re: Upcoming IETF Meeting
• Next: Re: Req for HTTP Sec questions
• Index(es):
  • Index
  • Thread