[2742] in WWW Security List Archive
No subject found in mail header
daemon@ATHENA.MIT.EDU (Mike Burati)
Wed Aug 21 18:54:39 1996
Date: Wed, 21 Aug 1996 15:30:33 -0400
From: Mike Burati <burati@orac.cpe.uml.edu>
Apparently-To: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
~s rookie/lurker questions
Sorry if this isn't your idea of the correct topics for this mailing list,
but after some (minimal) thought, it seemed to be on par with the intent...
I'm a long time lurker on this list with only enough time to start reading
the messages recently (last night) and with just enough knowledge about www
security to be dangerous to myself. I've been working on distributed enterprise
security for about 5 yrs now and understand symmetric key vs public key, use
of certificates... but am missing a few key points wrt www security.
This doesn't relate to the security product(s) I've been working on, but those
are limited in scope enough that I'm personally trying to keep up with every-
thing else going on so I won't be starting from scratch when I do have to deal
with it... If you could point me to the right places for the following info,
I'd greatly appreciate it:
Netscape and MSFT's web pages try to make you think that all your security
problems are solved. You'll authenticate via X.509 certificate (issued by
their respective certificate server or Verisign or ...?), the server will use
that to authenticate you for any page needing authentication and somehow use
it for authorization in future products...
Q: Where does the browser expect to get the certificate (I assume IE will
expect to use MSFT's CryptoAPI to get it, but what about NSCP Navigator?)
and more importantly, where/how will it get access to the Private Key (again,
I assume IE would use CryptoAPI to sign requests or..., but what about NSCP?
how does it unlock the private key?).
Q2: I've heard that there's lots of great tools out there now for integrating
legacy data (Oracle, Sybase, Informix, ODBC connections..., proprietary app
legacy data...) via CGI, NSAPI or ..., and it appears that NSCP and MSFT
expect the web server to do the authentication of the user (cert or user/passwd
based depending on the version). How do you deal with legacy authentication
to this legacy data? (Oracle usernames and authorization based on such...
Legacy app username/password ...). Does everybody just give the web server
complete access to the legacy db or app and assume that if the user authent-
icated to the web server they have rights to the app data or are there "common"
methods that people use to get pass-through of the user/password or certificate
so that the legacy app can do it's own authentication and authorization?
Feel free to say RTFM (or book) as long as you include which FM (or book)
this type of information can be found in.
Thanks in advance,
..Mike
