From owner-freebsd-chat  Tue Dec 16 20:50:56 1997
Return-Path: <owner-freebsd-chat@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id UAA08079
          for chat-outgoing; Tue, 16 Dec 1997 20:50:56 -0800 (PST)
          (envelope-from owner-freebsd-chat@FreeBSD.ORG)
Received: from anlsun.ebr.anlw.anl.gov (anlsun.ebr.anlw.anl.gov [141.221.1.2])
          by hub.freebsd.org (8.8.7/8.8.7) with SMTP id UAA08066
          for <chat@FreeBSD.ORG>; Tue, 16 Dec 1997 20:50:48 -0800 (PST)
          (envelope-from cmott@srv.net)
Received: from darkstar.home (ras535.srv.net [205.180.127.35]) by anlsun.ebr.anlw.anl.gov (8.6.11/8.6.11) with SMTP id VAA03294; Tue, 16 Dec 1997 21:50:28 -0700
Date: Tue, 16 Dec 1997 21:49:54 -0700 (MST)
From: Charles Mott <cmott@srv.net>
X-Sender: cmott@darkstar.home
To: Nate Williams <nate@mt.sri.com>
cc: chat@FreeBSD.ORG, softweyr@xmission.com
Subject: Re: Support for secure http protocols
In-Reply-To: <199712170414.VAA11573@mt.sri.com>
Message-ID: <Pine.BSF.3.96.971216212337.6388A-100000@darkstar.home>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-chat@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

> > Ssh and sshd are already universal in the unix world, and the Wintel
> > variant (F-Secure) is reasonably priced.
> 
> And doesn't have nearly the necessary features, is unstable, and due to
> port forwarding is a *huge* security risk unless the system
> administrator has set things up securely.

Any secure server is a risk unless the administrator does his job.  Even
after that it is still a risk.  Public key encryption is only as secure as
the private keys. 

What necessary features are missing?  How easy are they to add to the
framework so that they can make ssh (or a derivative) useful?  I can
already see applications for which it can be used right now.
 

> SSH is a *GREAT* solution for many things, but for secure HTTP stuff I
> don't think it's a very good solution.

I don't say use ssh for web commerce (yet), but if I had to set up a
secure server (http, but maybe something else) for a limited clientele,
then I personally would seriously consider an ssh solution.  It works well
and it encapsulates the both security and legal headaches. 

If you're goal is the next, great on-line commerce server, then ssh isn't
the answer.  But if your customer is a business or association of some
sort that already thinks ssh is a good idea and has the infrastructure in
place, then I think ssh makes sense even for http.

Charles Mott