[3744] in WWW Security List Archive
reading list for survey of www security
daemon@ATHENA.MIT.EDU (hollyg@mit.edu)
Sat Dec 7 17:46:38 1996
From: hollyg@mit.edu
To: www-security@ns2.rutgers.edu
Date: Sat, 07 Dec 1996 15:24:43 EST
Errors-To: owner-www-security@ns2.rutgers.edu
Hello. I'm working on my Advanced Undergraduate Project
at MIT. my topic is a survery of web security. below
is my reading list (sources, abstracts, etc). If you have
any suggestions of papers that you think are missing, I would
greatly appreciate it. If you are interested in reading the
paper when i'm done, let me know. I will be turning it
in (hopefully) by Jan 17.
thanks,
Holly (http://www.mit.edu:8001/people/hollyg/home.html)
========================================================
Advanced Undergraduate Project Proposal - A Survey of WWW Security
by Holly Grabowski
1. Simple Digest Security Scheme
http://www.w3.org/pub/WWW/Protocols/HTTP/digest_specification.html
An improved, minimal security scheme for HTTP is proposed. This scheme
does not require the use of patented or export restricted technology and is
believed to provide the best effective security possible within those
constraints. This scheme may be used as a direct replacement for the
HTTP/1.0 Basic authentication scheme with minimal modification of clients
and servers. The scheme provides for reuse of code in implementing more
comprehensive security schemes such as S-HTTP.
2. Requirements for HyperText Transfer Protocol Security
http://www-ns.rutgers.edu/www-security/drafts/draft-rutgers-httpsec-requirements-00.txt
Abstract:
This document specifies the requirements for the provision of
security services to the HyperText Transport Protocol. These
services include confidentiality, integrity, user authentication,
and certification of servers/services, including proxied or
gatewayed services. Such services may be provided as extensions
to HTTP, or as an encapsulating security protocol. Secondary
requirements include ease of integration and support of multiple
mechanisms for providing these services.
3. Requirements for Secure Object Transfer Protocols
http://www-ns.rutgers.edu/www-security/drafts/draft-rutgers-sotp-requirements-00.txt
Abstract:
This document specifies the requirements for the class of Secure
Object Transfer Protocols (SDTPs). SDTPs are application-layer
protocols used to request and supply data and objects via a
network, while providing privacy and authentication services; the
class thus includes secure versions of the HyperText Transport
Protocol (HTTP), File Transport Protocol (FTP), etc.
SDTPs share common requirements for privacy and encryption, user
authentication, server certification, certification of proxied or
gatewayed services, preservation of security state information,
and object certification and integrity. These requirements are
specified in this document as a basis for the evaluation and
development of such protocols. In addition, these requirements
clarify the boundaries between SDTP services and those provided
at the content level and by underlying protocols. These
requirements also aid in the evaluation and application of
modular security packages/protocols, such as GSS-API (RFC 1508)
to SDTPs.
4. The Secure HyperText Transfer Protocol
http://www.terisa.com/shttp/current.txt
Abstract:
This memo describes a syntax for securing messages sent using the
Hypertext Transfer Protocol (HTTP), which forms the basis for the
World Wide Web. Secure HTTP (S-HTTP) provides independently applica-
ble security services for transaction confidentiality, authenticity/
integrity and non-repudiability of origin.
The protocol emphasizes maximum flexibility in choice of key manage-
ment mechanisms, security policies and cryptographic algorithms by
supporting option negotiation between parties for each transaction.
5. The SSL Protocol
ftp://ietf.cnri.reston.va.us/internet-drafts/draft-freier-ssl-version3-01.txt
Abstract:
This document specifies Version 3.0 of the Secure Sockets
Layer (SSL V3.0) protocol, a security protocol that provides
communications privacy over the Internet. The protocol
allows client/server applications to communicate in a way
that is designed to prevent eavesdropping, tampering, or
message forgery.
6. The Private Communication Technology Protocol
http://sectest.microsoft.com/pct/pct2.html
This document specifies Version 2 of the Private Communication
Technology (PCT) protocol, a security protocol that provides
privacy over the Internet. The protocol is intended to prevent
eavesdropping on connection-based communications in client/server
applications, with at least one of the two always being
authenticated, and each having the option of requiring authentication
of the other. PCT is somewhat similar to SSL ([1]); however, PCT
version 1 corrects or improves on several weaknesses of SSL, and
version 2 also adds a number of new features. PCT version 2 is fully
compatible with PCT version 1.
7. S/MIME Message Specification
ftp://ietf.org/internet-drafts/draft-dusse-mime-msg-spec-00.txt
S/MIME (Secure/Multipurpose Internet Mail Extensions) provides a
standard way to send and receive secure electronic mail. Based on the
popular Internet MIME standard (RFC 1521), S/MIME provides the
following cryptographic security services for electronic messaging
applications: authentication, message integrity and non-repudiation of
origin (using digital signatures) and privacy and data security (using
encryption).
8. PICS: Internet Access Controls Without Censorship
http://www.w3.org/pub/WWW/PICS/iacwcv2.htm
With its recent explosive growth, the Internet now faces a problem
inherent in all media that serve diverse audiences: not all materials are
appropriate for every audience. Societies have tailored their responses to the
characteristics of the media [1, 3]: in most countries, there are more
restrictions on broadcasting than on the distribution of printed materials.
Any rules about distribution, however, will be too restrictive from some
perspectives, yet not restrictive enough from others. We can do better-we
can meet diverse needs by controlling reception rather than distribution. In
the TV industry, this realization has led to the V-chip, a system for
blocking reception based on labels embedded in the broadcast stream.
On the Internet, we can do still better, with richer labels that reflect
diverse viewpoints, and more flexible selection criteria. PICS (note 2), the
Platform for Internet Content Selection, establishes Internet conventions
for label formats and distribution methods, while dictating neither a
labeling vocabulary nor who should pay attention to which labels. It is
analogous to specifying where on a package a label should appear, and in
what font it should be printed, without specifying what it should say.
-end
