The previous chapters talked about some lightweight ways of providing authentication (basic and digest authentication) and message integrity (digest qop="auth-int"). These schemes are good for many purposes, but they may not be strong enough for large purchases, bank transactions, or access to confidential data. For these more serious transactions, we combine HTTP with digital encryption technology.
A secure version of HTTP needs to be efficient, portable, easy to administer, and adaptable to the changing world. It also has to meet societal and governmental requirements. We need a technology for HTTP security that provides:
· Server authentication (clients know they're talking to the real server, not a phony)
· Client authentication (servers know they're talking to the real user, not a phony)
· Integrity (clients and servers are safe from their data being changed)
· Encryption (clients and servers talk privately without fear of eavesdropping)
· Efficiency (an algorithm fast enough for inexpensive clients and servers to use)
· Ubiquity (protocols are supported by virtually all clients and servers)
· Administrative scalability (instant secure communication for anyone, anywhere)
· Adaptability (supports the best known security methods of the day)
· Social viability (meets the cultural and political needs of the society)
No comments:
Post a Comment