[52] in WWW Security List Archive
Re: GSS API...
daemon@ATHENA.MIT.EDU (John Ludeman)
Wed Aug 17 18:56:50 1994
From: John Ludeman <johnl@microsoft.com>
To: www-security@ns1.rutgers.edu
Date: Wed, 17 Aug 94 08:24:38 TZ
----------
| From: Rik Farrow 602 282 0242 MST <netmail!crow!rik@uunet.uu.net>
| To: <netmail!uworld!uunet!ns1.rutgers.edu!www-security@uunet.uu.net>
| Subject: Re: GSS API...
| Date: Tuesday, August 16, 1994 3:58PM
|
| Two items. I raised the spector of DLL's being PC-centric. Most businesses
| talking about HTTP servers are not talking about PC platforms, but UNIX,VMS,
| and only once that I heard of NT.
The general consensus appears to be that most systems *do* support some
concept of shared libraries. The primary requirement is the ability
for a vendor to distribute a binary image that works seamlessly with an
HTTP server or client without the server or client statically relinking
the code. If a site doesn't have the OS support for this, they are
welcome to license with the particular security provider for static
library modules or sources. Even in this instance, standardizing on
the GSS API is clearly beneficial for everyone involved.
In absolutely *no* way am I espousing a PC-centric viewpoint. I trust
the members of this alias to identify non-portable methods and suggest
reasonable alternatives.
|
| Like Bernhardt of Physik.TU-Muenchen.DE mentioned, I am very concerned
| about the security of DLL, or shared library-like tools. These have been
| a big problem, especially on Sun systems, where an attack might take the
| form of placing a doctored shared library ahead of the appropriate shared
| library. It would hardly do to create an security mechanism with inherent
| security problems.
If a sysadmin can't guarantee the security and integrity of system
files on the server, then this is the least of their problems and they
are operating on an essentially open system. This is a topic that is
beyond the scope of this alias.
John
