[1006] in WWW Security List Archive
Re: N$ SSL vs M$ PCT
daemon@ATHENA.MIT.EDU (maracchini_dave)
Tue Oct 10 15:42:45 1995
Date: Tue, 10 Oct 95 09:40:43 PDT
From: a-davem@ac.tandem.com (maracchini_dave)
To: rdenny@netcom.com
Cc: a-osborn@ac.tandem.com, www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
From: "Bob Denny" <rdenny@netcom.com>
Date: Sun, 8 Oct 1995 20:50:10 -0700
In-Reply-To: a-davem@ac.tandem.com (maracchini_dave)
"RE: N$ SSL vs M$ PCT" (Oct 5, 10:09)
On Oct 5, 10:09, maracchini_dave wrote:
> Subject: RE: N$ SSL vs M$ PCT
>
> Virtually ALL protocols proposed for use in protecting commerce on the
> Internet (e.g., S-HTTP) have holes have holes large enough to drive a truck
> through PRECISLY because they do not limit key use to a specific purpose.
As a participant in building an S-HTTP-capable server, I have to take
exception to the above. S-HTTP can indeed selectively encrypt. In contrast to
link-level encryption protocols like SSL and PCT, S-HTTP is designed to
selectively encrypt, sign, and/or encrypt and sign individual "documents". The
documents do not have to be HTML documents, they can be anything. Like packets
containing financial information. S-HTTP has the ability to negotiate keys and
crypt-opts at a fine-grain level. Both in-band and out-of-band keys are
supported.
Also, in my opinion, it is unfair to describe a security system as having
"holes large enough to drive a truck through" without posting the support for
that. Quantitative support. We have a lot of newcomers to the net now, and we
should not treat them to scare tactics like this.
-- Bob
Your point is well taken. I'll be posting a more comprehensive presentation on this
subject in the near future - and I'll be looking forward to your comments.
Dave
