two updates on Web security issues two updates on Web security issues>From: Greg Bossert <bossert@maurolycus.rutgers.edu>
>To: www-security@ns1.rutgers.edu
>Subject: HTTP Security Announcement from the Dec 1994 IETF meeting
>Reply-To: Greg Bossert <bossert@maurolycus.rutgers.edu>
>
>At the December 1994 Internet Engineering Task Force meeting in San
>Jose, CA, USA, a BOF (Birds Of a Feather) meeting on HTTP Security
>resulted in a request to the Internet Engineering Steering Group to
>form an HTTP Security working group.
>
>The meeting took place on the evening of Tuesday, December 6; alas,
>this conflicted with the IETF Social Event (a trip to TheTech, San
>Jose's science and technology museum). Nonetheless, a gratifying
>30-40 people (that's a guess) attended the BOF.
>
>Tim Berners-Lee chaired the meeting, and summarized the state of
>security services in HTTP; he emphasised the demand (and resulting
>opportunities) for quick specification and implementation of such
>services.
>
>Jeffrey Schiller, the Area Director for Security of the IETF,
>summarized existing and ongoing work in security within the IETF,
>including IP-layer security and proposed standard APIs for security
>service libraries. Information on the IETF working groups is
>available at
><http://www.commerce.net/information/standards/drafts/shttp.txt>.
(This URL seems to be in error, as it is a duplicate of the next)
>Allan Schiffman of EIT outlined EIT's SHTTP proposal. Version 2 of
>this proposal is available at
><http://www.commerce.net/information/standards/drafts/shttp.txt>.
>
>The proposed HTTP Security (HTTPS?) working group would be
>specifically tasked with developing requirements and specifications
>for the provision of security services to HTTP. The group would
>operate within the Security Area of the IETF. This mailing list,
>www-security@nsmx.rutgers.edu, would serve as the working group's
>official forum.
>
>A companion group for non-security issues was also proposed. The HTTP
>working group, would be chartered to to work on representing the
>current state HTTP for standardization under the IETF, and for working
>on requirements and specifications for future hypertext transfer
>protocols. Preliminary information is available from
><http://www.ics.uci.edu/pub/ietf/http/>.
>
>NOTE: Details of the HTTPS working group, including the name,
>directorate, and charter, are preliminary and unofficial, pending
>ratification by the IESG. Please refer to the information available
>from the IETF <http://www.ietf.cnri.reston.va.us/home.html> for the
>latest status of this group.
>
>Information about the proposed working group, this mailing list and
>its archives, and many other aspects of WWW Security is available from
><http://www-ns.rutgers.edu/www-security/>. This site has been greatly
>expanded and improved in the last few days. The Web site and mailing
>list are maintained by the Rutgers University WWW Security Team:
>
> Greg Bossert
> Simon Cooper
> Walt Drummond
> www-security-team@www-ns.rutgers.edu
> owner-www-security@nsmx.rutgers.edu
>
>--+ greg bossert rutgers university network services +--
>--+ bossert@noc.rutgers.edu +--
>--+ http://www-ns.rutgers.edu/~bossert +--
>--+ PGP Footprint: 96 6D DC 1D 77 F8 73 68 C9 F6 8B 08 2C 4A 39 42 +--
>--+ +--
>--+ i have never been afraid to change -- Happy +--
>--+ the circumstances of the world -- Rhodes +--
>
>Newsgroups:
>comp.infosystems.www.users,comp.infosystems.www.misc,comp.infosystems.www.provi
>ders
>From: hallam@dxal18.cern.ch (Phillip M. Hallam-Baker)
>Subject: Re: FYI -- Bank of America and Netscape
>Message-ID: <D0K2BJ.7AG@news.cern.ch>
>Sender: news@news.cern.ch (USENET News System)
>Reply-To: hallam@dxal18.cern.ch
>Organization: Wot!!! Me ????
[...]
>In article <LJZ.94Dec7131206@panix.panix.com>, ljz@panix.com (Lloyd Zusman)
>writes:
[... some paragraphs about the need for cross-vendor/cross-platform
standards deleted...]
>|> I see it taking months before there is an agreed-upon standard.
>
>Alan Schiffman at EIT and myself have been working on this problem for
>over a year. An agreement to merge the two resulting standards was made
>two months ago at a meeting of the World Wide Web Consortium. The details
>of this are currently being worked through.
>|>(2) This standard has to be designed into all the commonly used
>|> client and server Web software.
>|>
>|> I see another month or so before this happens.
>
>I'm currently well into the integration of the common standard into the CERN
>library.
>|>(3) This software, especially the client software, has to be built
>|> for all commonly used platforms and operating systems ... both
>|> graphic and non-graphic versions.
>|>
>|> Another month or so.
>
>Nope, the library is common to almost all Web browsers.
>|>(4) The new, secure client software has to be disseminated to most
>|> of the users who will be wanting it in order to make CC purchases.
>|>
>|> This could take quite a while ... as much as a year or more.
>
>Doubt it, none of the other releases has.
>|>And if step (4) costs money, then many potential customers will not
>|>bother (at least not right away), thereby causing businesses which
>|>want to rely upon Web-based CC sales to miss out on potential revenue.
>|>
>|>I therefore think that it is in the interests of those people who wish
>|>to go after Web-based CC business to make the following efforts:
>|>
>|>(1) Push for standards of client-server encryption to get agreed upon
>|> quickly.
>
>What would you prefer, fast agreement or a standard that works? This is not
>exactly trivial stuff you know. Nobody involved wants to be the person who
>invented the broken standard. Releasing code and calling it "bullet-proof" in
>this area is "brave".
>
>The standard does not pass until three things happen, first the authors are
>happy with it, second the referees are happy with it, third the Web community
>is happy with it.
>Bar minor wrangling over the naming of tags and exact byte formats we have
>finished this one.
>
>|>(2) Push for these standards to quickly get compiled into all the major
>|> httpd servers and Web browsers (graphic and non-graphic), for all
>|> major platforms and operating systems.
>
>Not a problem, working on it. Ie like if I wasn't in this window I would be
>hacking the autoconfigure script.
>|>(3) Make major efforts to get these new, secure Web browsers into the
>|> hands of potential customers as soon as possible, free of
>|> charge, and involving as painless an installation procedure
>|> as is possible.
>
>EIT released their version of the standard in Alpha test several months ago.
[...]
>Finaly a few points about the IETF process:-
>
>1) For standards track status the development must have been open.
>2) There have to be two independent implementations.
>3) For crypto stuff there has to be a non-US version [not sure if this is a
> formal requirement].
>
>The only proposal that I am aware of that meets these requirements is the
>S-HTTP/Shen proposal. [OK we don't meet 2 quite yet, that's because I'm
>not quite finished yet].
>
>
>Actually here, have to distinguish between shen the specification and shen
>the implementation. The latter is separate.
>
>--
>Phillip M. Hallam-Baker
>
>Not Speaking for anyone else.
---
Albert Lunde Albert-Lunde@nwu.edu