[4276] in Kerberos
Re: Public Key/Private Key
daemon@ATHENA.MIT.EDU (Doug Rosenthal)
Fri Dec 2 18:22:31 1994
To: kerberos@MIT.EDU
Date: Fri, 2 Dec 1994 21:37:19 GMT
From: rosenthl@krypton.mcc.com (Doug Rosenthal)
In article <3bni2c$fip@sashimi.wwa.com>, you write:
|> Eric Westburg (emp547@wwa.com) wrote:
|> : We are trying to determine how to do commercial transactions over the
|> : Internet. We need authentication, authorization, encryption, etc.
|>
|> : Are there any clear directions for this type of technology? Does it appear
|> : that Public Key/Private Key will be the technology chosen by the majority?
Public key technology is getting a lot of attention these days for doing
authentication and encryption in WWW client/server applications. Other
technologies are also being used to secure WWW applications as well, namely
the Kerberos authentication system from MIT. It may be too early to tell
whether public key technology will be chosen "by the majority"; a larger issue
is interoperability of the security *protocols* used (e.g. EIT/NCSA S-HTTP,
Netscape SSL, CERN Shen, etc.)
|>
|> : Is NCSA working on a version of MOSAIC which will have pk/pk built into
|> : it?
NCSA is working with EIT (CommerceNet) to develop S-HTTP (Secure HTTP), which
is based on RSA.
|> : How will private consumers get their own key? Is there a predicted
|> : time table for these "key" services to be provided?
Ah, another critical issue. Some would say this will happen when the U.S.
Postal Service sets up a nationwide Certification Authority (CA) infrastructure,
which the Postal Service is actually working on. However, it's unclear what the
time table is, whether they can efficiently support it, etc.
|>
|> : I keep hearing that Citicorp, other financial services companies,
|> : electronic shopping malls, etc. are pushing to provide a broad range of
|> : services across the Internet? Does anyone know what type of technology
|> : they are planning to use? Is it pk/pk?
Again, the candidates seem to be public key and/or Kerberos. But the critical
interoperability issue is the application security protocols.
|>
|> : Any information (or sources of information) that anyone can give me will
|> : be greatly appreciated.
|>
|> >> Oops, I forgot to add that there is the potential of some of our
|> clients being in foreign countries. What does this do to the possibility
|> of using pk/pk encryption technology?
If you intend to export from the U.S., you'll need to limit public key sizes to
40-bits, and replace any DES dependencies with smaller key-sized symmetric algorithms
(e.g. RSA RC4).
Just FYI:
We've integrated WWW (as well as WAIS, News, FTP, and Telenet) clients/servers
with Kerberos for authentication, developed an authorization server for access
control based on Kerberos user IDs, and developed an encrypted stream capability
based on Kerberos/DES for secure client/server communication. It works across
UNIX, PC/Windows, and Mac platforms. We're looking at integrating public key
mechanism(s) as well to support digital signatures.
--
Doug Rosenthal
MCC EINet | Email: rosenthal@mcc.com
3500 W. Balcones Center Dr. | Voice: 512-338-3515
Austin, TX USA 78759 | Fax: 512-338-3897
