[747] in IS Home Pages
Re: Can you provide us a brief explanation of Internet
daemon@ATHENA.MIT.EDU (Jeffrey Schiller)
Fri Sep 3 12:21:35 1999
Message-Id: <3.0.5.32.19990903121947.008c9680@po8.mit.edu>
Date: Fri, 03 Sep 1999 12:19:47 -0400
To: is-home@mit.edu
From: Jeffrey Schiller <jis@MIT.EDU> (by way of Rob Smyser <smyser@mit.edu>)
Mime-Version: 1.0
Content-Type: text/enriched; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
I have attached a document (both as text and HTML) that I am working=20
on (just started) for the Integration Team that addresses this issue.
Btw. Did anyone recommend to aisaksen@MIT.EDU that he can download and=20
install Netscape on his NT machine. His note appears to imply that he=20
doesn't know that Netscape is available for NT.
-Jeff
>>>>>>>>>>>>>>>>>> Original Message=20
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
On 8/27/99, 3:09:57 PM, Rob Smyser <<smyser@MIT.EDU> wrote regarding Can=20
you provide us a brief explanation of Internet Explorer x509=20
incompatibility?:
> Jeff, this year we seem to be getting heated complaints from more than=20
one
> user about how they can't use Internet Explorer with MIT Certificates.=20
Can
> you give me a brief technical view of what the problem is, so I can=20
craft
> knowing notes to users to fend them off and quiet them down?
> I appreciate it greatly.
> Thanks!
> Rob
> >Date: Fri, 27 Aug 1999 10:34:08 -0400
> >To: smyser@mit.edu
> >From: Robyn Fizz <<fizz@MIT.EDU>
> >Subject: Suggestion for improving the IS web pages
> >
> >Rob,
> >
> >You're right about the touching a nerve thing re Internet Explorer=20
(see
> >below). Could you ask the NetOps folks for some technical background,=20
as
> >you volunteered in your earlier message?
> >
> >Thanks,
> >Robyn
> >
> >>Date: Thu, 26 Aug 1999 17:55:03 -0400
> >>From: aisaksen@MIT.EDU
> >>To: is-home@MIT.EDU (IS Webmasters)
> >>Subject: Suggestion for improving the IS web pages
> >>
> >>Suggestions (provide URL):
> >>
> >>Please please make WEBSIS work with Internet Explorer on
> >>NT boxes. I work entirely on NT machines, and find it
> >>very annoying to have to find a UNIX machine everytime
> >>I need to do something billing/grade related.
> >>
> >>Why doesn't it work?
> >>Why isn't there a work around?
> >>
> >>-Aaron
> >>
> >
> >Robyn Fizz
> >News Coordinator
> >MIT Information Systems
> >N42-290B
> >Phone: (617) 253-0540
> >Fax: (617) 258-6875
> >
> >For up-to-date computing news, see
> >http://web.mit.edu/is/newslink/
> >
> >
> >
Why Not Internet Explorer
[Note: This document is a work in progress and has not yet been passed
by
the Integration team nor ITLT. It does not (yet) represent our official
position on the issues it discusses!]
MIT Information Systems supports the use of authenticated Web access=20
via
X.509 Certificates. To that end we operate a server which permits people
who
have MIT Kerberos credentials (which are used both by Athena and by our
Eudora based e-mail infrastructure) to obtain certificates.
This server only supports the Netscape browser, starting with version
3.0.
We have been asked why we don't support Microsoft's Internet Explorer
(IE)
as an alternative.
This document will give a list of reasons and issues as to why we don't
do
this. This is subject to change as the underlying assumptions behind
these
reasons can and do change.
1. Netscape provides an easier (for us) mechanism to providing
certificates. Specifically we do not need to know what version of
Netscape nor what operating system a client is using in order to
issue
them a certificate. By contrast Internet Explorer does not contain
all
of the code necessary to generate the keys that certificates are
based
on. Our server therefore has to download code to be executed by=20
the
client in order to do this. This requires us to know what=20
operating
system and exactly what version of IE a client is using so we can
download the appropriate code. We may not have access to the
necessary
code for all platforms. Putting it another way: With Netscape all
we
need to do is support the one product Netscape, it works identically
on
all platforms. With IE we have to support and independantly test
each
platform that it might be used on. Therefore to support IE in
addition
to Netscape isn't doubling the amount of work but is instead
potentially quadrupling or worse the amount of work necessary to
support it.
2. IE does not support certificates on the Macintosh at all. So if we
were
to state that we supported IE, we would have to make it clear that
this
does not include the Macintosh. Doing so may cause confusion.
3. We have heard that there are bugs in various versions of IE that
expose
a user's private key to being intercepted and abused by an=20
Internet
cracker (note: this is controversial. Microsoft denies these
problems
but respected computer security people insist it is easy to do and
fear
that only by releasing a tool that exploits the problem, will they
get
Microsoft to pay attention).
4. Netscape is available for all of the platforms that IE is, and=20
then
some. Users of Microsoft operating systems can download and=20
install
Netscape without much difficulty.
5. Finally there is a policy matter that involves MIT's overall use of
the
Web. Although at a basic level Netscape and IE are compatible,=20
they
differ in how they implement more advanced Web features. By
supporting
only Netscape, we make the development of internal to MIT websites
a
bit easier then it otherwise might be.
As mentioned above, we may change our position on the support of IE. At
this
time we are confident that if necessary we could technically provide
certificate support for IE 4.0 running under Windows '95 and NT. We have
not
yet tested Windows '98 nor Windows 2000. Information System's
Integration
Team is responsible for tracking this issue and making recommendations
on
direction.
<flushright><fontfamily><param>Times New Roman</param><bigger><bigger>Why
Not Internet Explorer
</bigger></bigger></fontfamily>
<italic><color><param>8080,0000,0000</param>[Note: This document is a
work in progress and has not yet been passed by the Integration team nor
ITLT. It does not (yet) represent our official position on the issues it
discusses!]
</color></italic>
MIT Information Systems supports the use of authenticated Web access via
X.509 Certificates. To that end we operate a server which permits people
who have MIT Kerberos credentials (which are used both by Athena and by
our Eudora based e-mail infrastructure) to obtain certificates.
This server only supports the Netscape browser, starting with version
3.0. We have been asked why we don't support Microsoft's Internet
Explorer (IE) as an alternative.
This document will give a list of reasons and issues as to why we don't
do this. This is subject to change as the underlying assumptions behind
these reasons can and do change.
<flushright><paraindent><param>left</param> *=20
<flushright>Netscape provides an easier (for us) mechanism to providing
certificates. Specifically we do not need to know what version of
Netscape nor what operating system a client is using in order to issue
them a certificate. By contrast Internet Explorer does not contain all of
the code necessary to generate the keys that certificates are based on.
Our server therefore has to download code to be executed by the client in
order to do this. This requires us to know what operating system and
exactly what version of IE a client is using so we can download the
appropriate code. We may not have access to the necessary code for all
platforms. Putting it another way: With Netscape all we need to do is
support the one product Netscape, it works identically on all platforms.
With IE we have to support and independantly test each platform that it
might be used on. Therefore to support IE in addition to Netscape isn't
doubling the amount of work but is instead potentially quadrupling or
worse the amount of work necessary to support it.
<flushright> *=20
<flushright>IE does not support certificates on the Macintosh at all. So
if we were to state that we supported IE, we would have to make it clear
that this does not include the Macintosh. Doing so may cause confusion.
<flushright> *=20
<flushright>We have heard that there are bugs in various versions of IE
that expose a user's private key to being intercepted and abused by an
Internet cracker (note: this is controversial. Microsoft denies these
problems but respected computer security people insist it is easy to do
and fear that only by releasing a tool that exploits the problem, will
they get Microsoft to pay attention).
<flushright> *=20
<flushright>Netscape is available for all of the platforms that IE is,
and then some. Users of Microsoft operating systems can download and
install Netscape without much difficulty.
<flushright> *=20
<flushright>Finally there is a policy matter that involves MIT's overall
use of the Web. Although at a basic level Netscape and IE are compatible,
they differ in how they implement more advanced Web features. By
supporting only Netscape, we make the development of internal to MIT
websites a bit easier then it otherwise might be.
</flushright></flushright></flushright></flushright></flushright></flushrigh=
t></flushright></flushright></flushright></paraindent><flushright><flushrigh=
t><flushright><flushright><flushright><flushright><flushright><flushright><f=
lushright><flushright>
<flushright>As mentioned above, we may change our position on the support
of IE. At this time we are confident that if necessary we could
technically provide certificate support for IE 4.0 running under Windows
'95 and NT. We have not yet tested Windows '98 nor Windows 2000.
Information System's Integration Team is responsible for tracking this
issue and making recommendations on direction.
</flushright></flushright></flushright></flushright></flushright></flushrigh=
t></flushright></flushright></flushright></flushright></flushright></flushri=
ght>
