[245] in WWW Security List Archive
Re: info on proposed SSL protocol and Netscape implementation
daemon@ATHENA.MIT.EDU (Mary Ellen Zurko)
Tue Nov 29 11:07:38 1994
From: zurko@osf.org (Mary Ellen Zurko)
To: www-security@ns1.rutgers.edu
Date: Tue, 29 Nov 94 8:39:07 EST
Reply-To: zurko@osf.org (Mary Ellen Zurko)
> | Our approach is similar to SSL's, in that the security occurs at the
> | transport layer.
>
> Aren't you being a little ambiguous in saying that "security" occurs at
> the transport layer?
Yes.
> Actually, _authentication_ (via ACLs) is done at
> the (RPC) transport layer,
Yes and No. ACLs are authorization only; not authentication.
> and _authorization_ is done at the
> application layer.
Yes. We're providing a channel for the application to do per-object
authorization, if it so wishes. Otherwise, there's also an ACL to set
access to the whole Web server, and that authorization is checked at
the transport layer we're providing by using DCE. For more details,
see the information at http://riwww.osf.org:8001
> Also, I thought that DCE had been shipping with these features for a
> couple of years?
Yes, it has. Sorry, I was terse, because I know Phill knows all about
what we're doing. The DCE Web project is using DCE to provide a
transport to tunnel application data (in this case, HTTP) over RPC,
and it also uses DCE location-independant naming for server lookup,
and ACLs for authorization (as sketched above).
Mez
