[249] in WWW Security List Archive
Mutual authentication.
daemon@ATHENA.MIT.EDU (Mary Ellen Zurko)
Thu Dec 8 11:35:03 1994
From: zurko@osf.org (Mary Ellen Zurko)
To: www-security@ns1.rutgers.edu
Date: Thu, 8 Dec 94 8:56:29 EST
Cc: zurko@osf.org (Me)
Reply-To: zurko@osf.org (Mary Ellen Zurko)
>
> Is there any specification for mutual authentication on WWW?
Both Secure-HTTP (S-HTTP) and Secure Sockets Layer (SSL) provide the
ability for both the server and client to authenticate, without
requiring it. The DCE Web (our work) will as well.
> (There are too many servers now and it is possible there is intrusion
> at the server site to cause harm to the innocent clients).
The tricky parts for SHTTP and SSL are establishing the chains/webs of
trust (providing keys to vouch for those authentications). Netscape
(user of SSL) seems to only be providing server authentication
immediately.
The tricky part for the DCE Web is associating an authentication from
a server from a document (if the server is able to authenticate in a
cell that my cell has a trust relationship with, does that means it's
trustworthily serving me the document I asked for?).
> As far as I know, in Kerberos, servers are trusted. Isn't it possible
> to intrude at the server site ?
EInet is Kerberos-based. Maybe someone more familiar with that system
could respond about mutual authentication.
Mez
