Phil has the right idea -- the same security mechanism that works for
e-mail can work for WWW, gopher, etc transactions. And the same
certificate that I use to secure e-mail ought to work the same
for securing a WWW transaction.
And Dave Crocker is right too -- we'd better get a multivendor
standard product out there soon before we get buried under dozens
of proprietary systems that aren't interoperable or consistent.
Phil:
I agree that market drive will provide incentive for shttp, PEM, PEM-MIME and
other applications. I'm not sure what you mean by "secure the web". Do you
mean things like ipsec will eliminate the need for PGP, PEM, etc? I would
disagree with that.
Comment:
There's a conceptual difference here that needs to be clearly understood.
PEM makes no effort to 'secure the Internet'. Rather the focus is on
securing the data that is passing over the [otherwise unsecure] network.
There are several approaches to securing communities of interest
within the network that use link encryption, IP datagram encryption,
session encryption, etc. While these approaches make sense in lots of
applications, and can use the same technology (e.g. public key) they
are properly focussed at 'keeping the riffraff out' rather than protecting
the confidentiality and authenticity of the data.
Rex Buddenberg