[18] in WWW Security List Archive
Re: Kerberos authentication for X-Mosaic 2.4 and NCSA HTTPD
daemon@ATHENA.MIT.EDU (hallam@dxal18.cern.ch)
Mon Aug 15 17:07:20 1994
From: hallam@dxal18.cern.ch
To: jeff@spyglass.com (Jeff Hostetler), www-security@ns1.rutgers.edu
Cc: hallam@dxal18.cern.ch
In-Reply-To: Your message of "Mon, 15 Aug 94 11:04:11 MDT."
<9408151604.AA21857@fido.spyglass.com>
Date: Mon, 15 Aug 94 19:32:27 +0200
Hi,
Jeff writeth:-
>it also would let the distribution channel concentrate on which
>security modules are necessary/legal for a particular end-user.
>a free-with-copyright browser could still exist and be distributed
>on the net -- security-enabled, but with no plug-in's provided.
I think we can enable at least some plug ins. Such as DES for starters and
SQModn hashes. Personaly I'd like to base everything on MD5 but that has
commercial restrictivities :-(
The security stuff has to be open though because many sites will want to slot
in their own routines - eg NSA, MI5, Whitehouse, PEI etc.
One of the latest bits I have been working on is an entirely symetric key based
auth system. As previously mentioned I use a Digest function to provide symetric
key authorisation. I am thinking about extending this to use the password to
encrypt the body of the messages as well.
This would mean that there would be an entirely PD browser with strong
authentication and encryption (well DES at any rate :-) whith no patent hassles.
Given that the security though adequate for ATM transacitons is a four character
password taken from an alphabet of 10 characters I think this should have some
applications.
in any case RSA is too slow to be usefull for a large number of apps. My current
thinking is to use RSA pubkey for key distribution and then use symetric keys
for each transaction. For campus and company type security this seems a good
plan.
Phill H-B.
PS if there is anyone there with a CD ROM server for USEnet I have urgent need
to track down a few posts in connection with some legal proceedings.
