some questions about SHTTP

• To: www-security@ns2.rutgers.edu
• Subject: some questions about SHTTP
• From: wangw@iti.gov.sg (Wang Wei Jun)
• Date: Thu, 3 Aug 1995 10:17:27 +0800 (SST)
• Cc: ekr@eit.com, ams@eit.com

Greetings,

I am trying to implement a secure http server. After I read the recent
SHTTP1.1 specification, I have some questions and would appreciate if
anyone can give me some answers. (I'm new to SHTTP and not familiar with
PKCS-7, PGP, so pardon me if I ask the wrong question)

1. Section 2.3.1 Content Privacy Domain
"Support for PGP is deprecated". 
For most of people outside USA, PKCS and PEM products are rarely available. 
(Correct me if I am wrong and tell me where to get PEM products please,
I am only aware of two: RIPEM and TISPEM, both are not exportable outside
USA I think) However, PGP is widely used as a public
key encryption package outside USA. Shall we still consider PGP?

2. MAC-Info (Section 2.3.5 page 8)
in page 8, second last paragraph
"The special key-spec 'DEK' refers to the Data Exchange Key used to encrypt
the following message body..."
The specification doesn't not say if key-spec is <Key-ID>, what does it
refer to? Does it also refer to the key used to encrypt the message body?
Is it encryption mandatory if <Key-ID> appears?(I guess so)

3. Signing Key Pattern (section 4.4.9.3, page 17)
The syntax definition for the patern values seems has some small mistake:
according to the example given, it seems the syntax should be like:
<Value> := '/' <Dn-spec> (',' <Dn-spec>)* '/'
<Dn-spec> := <Field-spec>*
Is the example wrong or the syntax definition itself?
Also according to the Your-Key-Pattern definition, the example should be:
  Your-Key-Pattern: 'signing-key', DN-1485, ...
The example doesn't have 'signing-key'

4. Inband Key Assignment (Section 5.4.1 page 21)
The specification says that "... However, this mechanism is also useful
to permit key changes without public key computations"
Q: what kind of encryption shall we use to protect the key? How do we 
get the session key?

5. Example (Section 10 page 35)
The last message: it says "the data between the delimiters is a PKCS-7
'Data' representation of the request"
Q: is the data encrypted by the inband key alice1? if not, why should
the server use Key-Assign to send the key alice1?

6. A general question about message content
I am quite confused about the message content (the part between
----BEGIN PRIVACY-ENHANCED MESSAGE---- and ----END PRIVACY-ENHANCED MESSAGE----)
What does it mean by it is a (PKCS-7/PEM) encapsulated message? Does it
mean it is encrypted? and what kind of encryption, which key? 
Is it true that every message must be either PKCS-7/PEM encapsulated?

Thank you,
Weijun Wang

----------------------------------------------------------------------
|Weijun  Wang	Tel: +65-7705933	Fax: +65-7773043             |	
|E-mail:	WANGW@ITI.GOV.SG			 	     |
|HTTP:	http://iti.gov.sg/iti_people/iti_staff/weijun/weijun.htm
|Post:		Information Technology Institute		     |
|		11 Science Park Road, 
|		Singapore Science Park II, Singapore 0511	     | 
----------------------------------------------------------------------

• Re: some questions about SHTTP
• From: marcvh@spry.com (Marc VanHeyningen)

• Previous: Re: SSL, X509 Certificates and EuroSign
• Next: SECURITY HOLE: FormMail
• Index(es):
  • Index
  • Thread