Paul writes:

Does anyone know, on the off-chance, who is currently working on HTTP authentication processes for web browsing and Mosiac?

Pointers appreciated.

Philip Hallam-Baker at CERN has done some work in this area. The general name for it appears to be Shen. I don't know what the status of it is. There is also the original PEM and PGP work done at NCSA by Rob McCool. I'm given to understand that MCC has done some work with Kerberos integration. (Microcomputer and Electronics Corp, or whatever). In addition, I believe that both Spry and Mosaic Communications Corp have announced that they have their own security solutions but haven't announced any technical details... And.....Shameless plug follows: Allan Schiffman and I here at EIT have developed an extension of HTTP called 'Secure HTTP' which provides for end-to-end security and authentication. (Mainly by recycling a lot of the preexisting work in cryptographic messaging, particularly PEM and PKCS7). The protocol is publicly specified and basically consists of wrapping the entire transaction inside privacy enhanced messages, using a variety of cryptographic message formats. It also includes support for systems in which only one party has a public key pair. [By exchanging an encrypted session key to be used for the return transaction]. Disclaimer: While there will be some free distribution of the software based on this protocol, and the protocol is completely nonproprietary (except, of course, that it uses public key) EIT (and I) have a financial interest in selling products based on this technology. You can get a copy of the current (though slightly outdated) version of the protocol via: WWW: http://www.commerce.net/information/standards/drafts/shttp.txt Email: shttp-info@commerce.net (Automatic response) Anonymous FTP: ftp.commerce.net/pub/standards/drafts/shttp.txt The next rev should support (though the released software probably won't for a while) Diffie-Hellman and Kerberos. -Ekr