[820] in WWW Security List Archive
Re: some questions about SHTTP
daemon@ATHENA.MIT.EDU (Wang Wei Jun)
Sat Aug 5 04:56:39 1995
From: wangw@iti.gov.sg (Wang Wei Jun)
To: marcvh@spry.com (Marc VanHeyningen)
Date: Fri, 4 Aug 1995 13:25:55 +0800 (SST)
Cc: www-security@ns2.rutgers.edu
In-Reply-To: <12402.807486371@pellet.spry.com> from "Marc VanHeyningen" at Aug 3, 95 02:46:11 pm
Errors-To: owner-www-security@ns2.rutgers.edu
Thanks for the reply.
> I don't think it's really possible to create a secure HTTP server from the
> current spec and expect it to work with the installed base without a lot of
> testing in the early design stages. Too much is left unsaid or was changed
> in the implementations but not the spec.
If that's the case, shall we start discussing it? At least the implementers
should let others know what is changed/unsaid in the spec. Otherwise, we
may just have a lot of 'SHTTP compliant' client/servers but they won't talk
to each others. This really defeats the purpose of WWW.
(BTW, is there any email group specifically discuss SHTTP?)
>
> > 1. Section 2.3.1 Content Privacy Domain
> > "Support for PGP is deprecated".
> > For most of people outside USA, PKCS and PEM products are rarely available.
>> However, PGP is widely used as a public
> > key encryption package outside USA. Shall we still consider PGP?
>
> Was anybody actually using it? If not, it seems implausible that anybody
> will anytime real soon. PGP is not available inside the U.S. for commercial
> use under reasonable terms, so I wouldn't expect to see anything happen with
> it here.
>
Yes, people outside USA are using PGP. So in order to let us use SHTTP,
it's good if the spec. can include PGP support.
> > 5. Example (Section 10 page 35)
> > The last message: it says "the data between the delimiters is a PKCS-7
> > 'Data' representation of the request"
> > Q: is the data encrypted by the inband key alice1? if not, why should
> > the server use Key-Assign to send the key alice1?
>
> I believe it is not encrypted at all under any key. The real question is,
> why wrap an unencrypted message in PKCS-7 and base64 encode it instead of
> just sending it with no Content-Privacy-Domain at all?
>
If that's the case, then it will be contradictory to section2.3.5 MAC-Info.
(suppose <Key-ID> has the same interpretation as 'dek'.) because if the key
is specified, then the message must be encrypted. The spec. says: (it is
an error to use this key-spec in situations where the folowing message
body is unencrypted).
Weijun
----------------------------------------------------------------------
|Weijun Wang Tel: +65-7705933 Fax: +65-7773043 |
|E-mail: WANGW@ITI.GOV.SG |
|HTTP: http://iti.gov.sg/iti_people/iti_staff/weijun/weijun.html
|Post: Information Technology Institute |
| 11 Science Park Road,
| Singapore Science Park II, Singapore 0511 |
----------------------------------------------------------------------
