Security services for HTTP: Kerberos vs. PEM

Marc VanHeyningen (mvanheyn@cs.indiana.edu)
Tue, 29 Jun 1993 17:40:07 -0500


HyperText Transfer Protocol, a simple stateless protocol based on
request-response of MIME messages and associated with the World Wide
Web project, has need of security services (e.g. authentication) in
order to allow things like information protection, modification or
annotation, and possibly compensated commercial information exchange
(in the medium to far future).

The two obvious approaches seem to be Kerberos (widely used and
oriented towards providing security for client-server relationships)
and PEM (not as widely used yet, oriented towards providing protection
for MIME objects such as messages.)

I'm attempting to put together a reasonably fair assesment of
potential advantages and problems for each of three different methods
for providing security:
- Kerberos
- PEM with symmetric cryptography only
- PEM with asymmetric cryptography

I'd appreciate hearing from anyone with some knowledge about the
application and implications about each of these approaches
(preferably something more than I can have, which consists of a casual
reading of the pertinent RFCs, drafts, FAQs, and the like) regarding
how readily the necessary support structure can be/is being put in
place, how important the various services each offers is, how
potentially extensible each is, and that kind of thing. If people
care, I can post the resulting document and let the flames begin. :-)

(For that matter, if someone knows a much better method that I didn't
know about, let me know about that too.)

--
Marc VanHeyningen  mvanheyn@cs.indiana.edu  MIME, RIPEM & HTTP spoken here