Re: some questions about SHTTP

• To: wangw@iti.gov.sg (Wang Wei Jun)
• Subject: Re: some questions about SHTTP
• From: marcvh@spry.com (Marc VanHeyningen)
• Date: Fri, 04 Aug 1995 09:23:07 -0700
• cc: www-security@ns2.rutgers.edu
• In-reply-to: Your message of "Fri, 04 Aug 1995 13:25:55 +0800." <9508040525.AA17925@iti.gov.sg>

Wang Wei Jun said:
> If that's the case, shall we start discussing it? At least the implementers
> should let others know what is changed/unsaid in the spec. Otherwise, we
> may just have a lot of 'SHTTP compliant' client/servers but they won't talk
> to each others. This really defeats the purpose of WWW.

Very much so, yes, particularly if we really want SHTTP to be a
standards-track protocol.

> (BTW, is there any email group specifically discuss SHTTP?)

There's shttp-talk@openmarket.com, but there's never any traffic on it.
This group is probably as good a place as any, since theoretically it's the
group of the IETF WG for the spec.

> > Was anybody actually using it?  If not, it seems implausible that anybody
> > will anytime real soon.  PGP is not available inside the U.S. for commercial
> > use under reasonable terms, so I wouldn't expect to see anything happen with
> > it here.
> > 
> Yes, people outside USA are using PGP. So in order to let us use SHTTP,
> it's good if the spec. can include PGP support.

I mean, was anybody actually using PGP in SHTTP implementations?  I know lots
of people are using it for mail and stuff.  PGP was in the spec for a long
time, and nobody really used it.  In the long run, it's obviously necessary
to have common formats that everybody uses in order to get anywhere with this.
I suspect that long-term winner will be PKCS7 due to its flexibility and
compactness (despite the fact that many existing implementations make a
mockery of that compactness by base64 encoding it.)

> > I believe it is not encrypted at all under any key.  The real question is,
> > why wrap an unencrypted message in PKCS-7 and base64 encode it instead of
> > just sending it with no Content-Privacy-Domain at all?
> > 
> If that's the case, then it will be contradictory to section2.3.5 MAC-Info.
> (suppose <Key-ID> has the same interpretation as 'dek'.) because if the key
> is specified, then the message must be encrypted. The spec. says: (it is
> an error to use this key-spec in situations where the folowing message
> body is unencrypted).

But the example does not use the "dek" key-spec, it uses the "inband:alice1"
key-spec, which is legal as long as the context has defined an inband key
named alice1 (e.g. the previous message contained an appropriate Key-Assign:
header.)

- Marc

• Re: some questions about SHTTP
• From: wangw@iti.gov.sg (Wang Wei Jun)

• Previous: Re: "Safe CGI" document
• Next: Re: some questions about SHTTP
• Index(es):
  • Index
  • Thread