From don@cam.ov.com Sat Oct 7 15:03:35 1995 Received: from hofmann.CS.Berkeley.EDU (hofmann.CS.Berkeley.EDU [128.32.35.123]) by orodruin.CS.Berkeley.EDU (8.7.Gamma.0/8.7.Gamma.0) with SMTP id PAA07324 for ; Sat, 7 Oct 1995 15:03:23 -0700 (PDT) Received: from pad-thai.cam.ov.com (pad-thai.cam.ov.com [192.231.148.11]) by hofmann.CS.Berkeley.EDU (8.6.10/8.6.6.Beta11) with ESMTP id PAA16345 for ; Sat, 7 Oct 1995 15:03:14 -0700 Received: from gza-client1.cam.ov.com by pad-thai.cam.ov.com (8.6.12/) with ESMTP id ; Sat, 7 Oct 1995 18:05:07 -0400 Received: from localhost by gza-client1.cam.ov.com (8.6.10/4.7) id SAA01505; Sat, 7 Oct 1995 18:05:05 -0400 Message-Id: <199510072205.SAA01505@gza-client1.cam.ov.com> To: David_A Wagner Subject: netscape's ssl flaws : postscript In-reply-to: Your message of "Sat, 07 Oct 1995 14:57:30 PDT." <199510072157.OAA28908@quito.CS.Berkeley.EDU> Date: Sat, 07 Oct 1995 18:05:04 -0400 From: "Donald T. Davis" Status: RO david, here's the citation, followed by the ascii abstract, and finally by the postscript. -don ----------------------------------------------------------------- Don Davis, "Kerberos Plus RSA for World Wide Web Security," Proc. 1st USENIX Workshop on Electronic Commerce (nyc, 7/95). Abstract We show how to use Kerberos to enable its clients to interact securely with non-Kerberized World Wide Web servers. That is, our protocol does not require that the Web server be a member of a Kerberos realm, and also does not rely on time-synchronization be- tween the participants. In our protocol, the Kerberos client uses the Web server's public-key certificate to gain cryptographic credentials that conform to public-key authentication standards, and to SHTTP. The client does not perform any public-key encryptions. Further, the client is well-protected from a man-in-the-middle attack that weak- ens SSL. Our protocol conforms to the current specifications for the Kerberos protocol and for the Secure Hypertext Transfer Protocol.