PGP and WWW (was "Securing information transports")

• To: www-security@ns2.rutgers.edu
• Subject: PGP and WWW (was "Securing information transports")
• From: "Adam Cain" <acain@snapple.ncsa.uiuc.edu>
• Date: Fri, 13 Oct 1995 18:24:00 -0500

It's true that PGP/PEM hooks for NCSA XMosaic, httpd were added some
time ago.  I think it was basically a "proof of concept" implementation
which had some major problems, making it not quite ready for prime-time.
Foremost, it required passphrases in the clear (!!) to be stored in
support scripts, and the public keys had to be exchanged out of band.

We're working on revising the PGP support for web browsers and servers,
addressing the aforementioned deficiencies and hopefully bringing it to
a usable state.  The current, experimental approach involves using a
CCI app (Common Client Interface application) front end to PGP which
communicates with the browser and handles PGP-related user interface tasks.
This alleviates the need for crypto-specific hooks in the browser, and makes
it easier to use with any browser sporting a compatible, general-purpose
interface like CCI.  Naturally, there are numerous pro's and con's associated
with this scheme.

A paper describing the new PGP-CCI design will be presented at the WWW-4
conference.  We'll provide more information as the project develops.
For now, anyone interested in the details of how the PGP-CCI system works
should email me.

	Adam
	acain@ncsa.uiuc.edu


> >The question I'd like to ask is: Has anyone seriously looked into using
> >PGP for encoding of HTTP transactions??? What are the pro and cons????
>
> NCSA httpd and Mosaic supported it (I did it with httpd 1.2 and Mosaic
> 2.something about two years ago in a former employment). The hooks may still
> be in there. It seemed OK, but it wasn't exactly seamless.
>
> Please don't ask me to repeat how I did it, it involved numerous hack
> sessions, tracing Mosaic and httpd, and telnet to port 80 quite a bit. NCSA
> provided contrib scripts that were meant to to do it. I presume they had it
> running at some point.
>
> If the key administration (and admin generally) can be cleaned up it might
> be quite a good solution. I know it required modified client and server -
> this might be a problem if Netscape refuse to support it. I like Mosaic
> better anyway.. :-)

• Re: PGP and WWW (was "Securing information transports")
• From: Kent Fitch <Kent.Fitch@its.csiro.au>
• Re: PGP and WWW (was "Securing information transports")
• From: Stephen Mattin <stephen@devo.delphi.com>

• Previous: Re: Securing information transports
• Next: Re: New York Times article
• Index(es):
  • Index
  • Thread