[2870] in WWW Security List Archive
Re: Secure-HTTP vs SSL
daemon@ATHENA.MIT.EDU (Adam Shostack)
Sun Sep 1 11:12:31 1996
From: Adam Shostack <adam@homeport.org>
To: ehl@terisa.com (Elgin Lee)
Date: Sun, 1 Sep 1996 09:32:15 -0500 (EST)
Cc: tel1dvw@is.ups.com, www-security@ns2.rutgers.edu
In-Reply-To: <199608312204.PAA05201@itech.terisa.com> from "Elgin Lee" at Aug 31, 96 03:06:35 pm
Errors-To: owner-www-security@ns2.rutgers.edu
Elgin Lee wrote:
| > Could someone explain to me what he difference between these two
| > protocols(?) are?
(I've deleted most of what Elgin said because its well stated, and I
have nothing to add to it.)
| You could also layer a secure-document protocol on top of SSL, but
| that's what S-HTTP is! S-HTTP could conceivably be run on top of
| SSL, although that's probably sub-optimal because it incurs
| unnecessary overhead due to redundant encryption.
S-HTTP should be fairly flexible in what it lets you sign or
encrypt, reducing the overhead.
The other thing I like about S-HTTP is that it allows you to
sign a document on a secure machine, and then send it out, without
having the private key on the web server. SSL does not allows
you to work without a private key available, which is unfortunate. If
there was a 'only look at signed documents from this server' message
with s-http's ability to have the key offline, then it would be
possible to prevent DOJ disease (to the extent that people use current
browsers.)
Adam
--
"It is seldom that liberty of any kind is lost all at once."
-Hume
