[97] in WWW Security List Archive
ANNOUNCE: AT&T Chrg_HTTP for Electronic Publishing
daemon@ATHENA.MIT.EDU (Doug Rosenthal)
Mon Aug 22 14:59:21 1994
Date: Mon, 22 Aug 94 09:41:31 CDT
From: rosenthl@mcc.com (Doug Rosenthal)
To: Lei_Tang@gs59.sp.cs.cmu.edu
Cc: www-security@ns1.rutgers.edu
In-Reply-To: Lei_Tang@gs59.sp.cs.cmu.edu's message of Fri, 19 Aug 94 21:46:19 -0400 <8793.777347179@GS59.SP.CS.CMU.EDU>
<... much description deleted ...>
The advantage of the protocol is that the client does not have to
pass a decoded password thru open network.
I agree with the validity of your approach to integrate Mosaic/httpd
with Kerberos. We too have integrated our Web clients and an httpd
server with Kerberos, and are working on a public key solution as
well.
<...>
Since it is based on kerberos, it does not scale well, I am going
<...>
I'm not sure of the validity of this statement, though. Kerberos does
scale with the use of hierarchical realms, much the same as having
hierarchical Certification Authorities (CA) for the
generation/distribution of public key certificates. In fact, if one
assumes the need for on-line validation of such certificates, as
opposed to using certificate revocation lists (CRLs) periodically,
then the Kerberos/CA similarities become even more evident. The issue
then becomes whether CRLs are viable for on-line applications
involving financial transactions, as opposed to more loosely-coupled
applications such as privacy enhanced mail.
- Doug
