[172] in WWW Security List Archive
OBCSCR
daemon@ATHENA.MIT.EDU (Doug Rosenthal)
Fri Sep 30 22:21:45 1994
Date: Fri, 30 Sep 94 15:34:43 CDT
From: rosenthl@mcc.com (Doug Rosenthal)
To: hallam@dxal18.cern.ch
Cc: www-security@ns1.rutgers.edu, www-buyinfo@allegra.att.com
In-Reply-To: hallam@dxal18.cern.ch's message of Fri, 30 Sep 94 21:14:46 +0100 <9409302014.AA02270@dxal18.cern.ch>
Reply-To: rosenthl@mcc.com (Doug Rosenthal)
Because HTTP is simple it is easy to encapsulate other protocols. I don't
think the GSS API work has much relevance though. It is higher level than
HTTP, it is not something you build HTTP (or like aparatus) upon.
The GSS API is simply a programming interface for establishing
security contexts (i.e. user/service identification and
authentication) in client/server applications, as well as facilitating
secure messaging operations (sealing and signing data). In that
sense, I wouldn't consider it a "higher level" protocol than HTTP. In
fact, the GSS is intended to be *used by* a variety of applications,
each with their own application protocol (e.g. HTTP, FTP, etc.). In
that sense, the application protocol is "higher", and determines when
the GSS functionality is employed. For example, a given client/server
application determines whether authentication is necessary, via the
application protocol, *then* establishes a security context using the
GSS (i.e. an implementation of the GSS API).
I don't know where you got the idea about what HTTP was `meant' to do.
Have you spoken to the developers or creators? We certainly intend to keep
it simple. But we also intend to extend its functionality.
Note that the comment about what HTTP was/wasn't "meant" to do
originated from Chris Rywalt (crywalt@dev.prodigy.com), not myself. :-)
- Doug
