Re: Insecure WWW Access Authorization Protocol?

michael shiplett (michael.shiplett@umich.edu)
Wed, 16 Mar 1994 17:15:14 --100


"rm" == Rob McCool <robm@ncsa.uiuc.edu> writes:

rm> Yes, which is why we are changing Mosaic's behavior for PGP/PEM
rm> and, in the future, Kerberos, to not send the request unencrypted
rm> first, but to get the authentication information from the user and
rm> allow the user to force Mosaic to send the request encrypted the
rm> first time.
Are you looking to make obtaining the authentication information an
automatic procedure based on the server name in URL, e.g, given
http://server.com/..., obtain the public key for server.com using
X.509 certificates to verify the public key; then get the user's
private key somehow? Or will the user always be required to find the
server's public key and to enter information (passphrase, etc.) to get
his private key?

I don't know the status of the Generic Security Service API
(GSS-API) in the Internet community, but after reading RFC 1509, it
could be a good thing to use the GSS-API in httpd servers/clients
instead of each program reinventing the code.

michael