"vc" == Vincent Cate <Vincent.Cate@FURMINT.NECTAR.CS.CMU.EDU> writes: vc> I was surfing off the edges of my page and came across a page vc> about secure http/mosaic. The page is: vc> http://hoohoo.ncsa.uiuc.edu/docs/PEMPGP.html This is not the SHTTP work being done for CommerceNet--it is more a proof of concept for doing PK encryption of HTTP requests. It has a few shortcomings: 1) The server identity is passed over an insecure connection without any way for the client to verify it. 2) The server's public key are obtained via finger. 3) Requests are subject to replay attacks. To be fair, the document mentions (2) & (3). There are, at least, a couple projects adding security to HTTP--Shen Security Enhancements to HTTP and Secure HTTP. The former may be found at http://info.cern.ch/hypertext/WWW/Shen/ref/shen.html while SHTTP is available as WWW http://www.commerce.net/information/standards/drafts/shttp.txt Email shttp-info@commerce.net FTP ftp://ftp.commerce.net/pub/standards/drafts/shttp.txt I do not know if the differences between the two have been resolved so that there is a single proposal for secure web transactions. michael