[236] in WWW Security List Archive
Re: info on proposed SSL protocol and Netscape implementation
daemon@ATHENA.MIT.EDU (hallam@dxal18.cern.ch)
Thu Nov 24 10:09:14 1994
From: hallam@dxal18.cern.ch
To: www-security@ns1.rutgers.edu
Cc: hallam@dxal18.cern.ch
In-Reply-To: Your message of "Thu, 24 Nov 94 06:22:08 EST."
<aafa26bb210210042f64@[198.93.92.112]>
Date: Thu, 24 Nov 94 21:51:47 +0900
Reply-To: hallam@dxal18.cern.ch
>>Regarding the general IP security (I think you that IPng thing) is going to
>>last several years till it becomes operational IMHO.
>Yup, and it would be extraordinarily difficult to try to support a
>security layer between TCP and IP on a wide range of platforms and networking
>implementations today. SSL can and does layer on top of existing TCP/IP
>implementations across arbitrary platforms (Mac, Windows, Unix, whatever),
>today.
I don't think that people should get completely wound up about the different
security schemes. At present we have:
1) PGP
2) PEM
3) Kerberos
4) S-HTTP/SHEN
5) Secure Sockets.
6) (IP-NG to arrive ???)
7) (X-509 to be implemented ???)
These divide into three groups operating at different layers of abstraction
1) Application PGP/PEM/S-HTTP/SHEN
2) Negotiation S-HTTP/SHEN/Kerberos
3) Transport SSL/IP-NG/X-509
The point being that if you want to provide secure NNTP (and thus allow people
to make a living charging for it) you have to follow the route Marc and co have
gone.
PEM and PGP are not really relevant except as key distribution systems. They are
both optimised for email. Shen started out as being PEM mapped onto HTTP taking
advantage of the HTTP 8-bit clean properties.
S-HTTP/SHEN are being merged (slowly). SHEN tends to deal with rather different
issues than S-HTTP started with. The idea all along has been to produce a single
transport protocol, most of the work in shen has gone into working out what
people would want to employ the protocol for.
I think that the route most likely to be followed is that most net traffic will
be routinely passed en-clair, signed email being the first security extension to
arrive. Here I suspect that to reduce processing costs challenge systems will
develop so that the security is at a probablistic level.
There will also be two very important subgroups, commercial inter-organisational
applications where integrated security is required and intra-organisational
where the chief aim is to prevent fraud/avoid hacker attacks. The first of these
leads very naturally to public key, the second to use of shared secrets that are
distributed at intervals via public key.
Fortunately the storm is not yet upon us. We have about two years before the Web
begins to really take off. Up till now it has been the plaything of the
techno-elite. What we are about to see is a major expansion outside that base
into the consumer area. Coincidentaly the public key patent expires in just over
two years.
Phill Hallam-Baker
