[36] in WWW Security List Archive
Re: GSS API...
daemon@ATHENA.MIT.EDU (Jeff Hostetler)
Tue Aug 16 20:42:31 1994
From: jeff@spyglass.com (Jeff Hostetler)
To: "Roger Masse's the named" <rmasse@cnri.reston.va.us>
Cc: jeff@fido.spyglass.com, www-security@ns1.rutgers.edu
In-Reply-To: (Your message of Tue, 16 Aug 94 16:40:05 D.)
<9408161640.aa15616@CNRI.Reston.VA.US>
Date: Tue, 16 Aug 94 16:37:12 -0600
> >> I wrote:
> >> I assume the server sends an encrypted copy of the requested
> >> document to the client to avoid unauthorized access to the
> >> document via a sniffing attack?
>
> >Jeff Hostetler writes:
> >I'm not sure I understand what you mean here.
>
> >In the example, I'm assuming that the document is public-with-copyright
> >(as opposed to a document protected under a need-to-know policy) and
> >that the user is entitled to know of the document's existence and upon
> >payment (or proper kerberos-like authorization) entitled to a clear-text
> >copy of it.
>
> Transmitted in clear text from Service Provider to client? Won't
> Service Providers be wary of the clear text packets being sniffed
> by non-token-holding entities?
In my model, the HTTP server still holds the 'authorization-required'
or 'pay-per-view' document, and upon receipt of a valid 'certificate'
will send it to the HTTP client. Issuance of a valid 'certificate'
comes from an 'authorized authorization/payment service provider'.
(Something like a kerberos server or a bank/credit card server.)
The service providers only issue certificates and confirm/deny
their validity.
jeff