Re: CGI and REMOTE_USER

Rob McCool ([email protected])
Tue, 25 Jan 1994 18:39:06 -0600


/*
* Re: CGI and REMOTE_USER by "M. Strata Rose"
* written on Jan 25, 7:33pm.
*
*
* WRT REMOTE_IDENT, I want to put in a request that the variable be able
* to hold standard PGP or RSA key signatures. We almost certainly need to
* define additional variables to do authentication and decryption with, but
* I thought I would just get the ball rolling a little.

httpd 1.1 puts the name which is associated with the user's key in
REMOTE_USER not in REMOTE_IDENT. REMOTE_IDENT is *not* to be trusted under
any circumstances for anything other than simple logging.

* Who out there is already working on "authenticated" Mosaic, ie an http
* server which knows to serve encrypted pages to only a select set of users
* whose clients will know to decrypt them for display & interpretation?
*/

I already did it. httpd 1.1 and the upcoming Mosaic 2.2 have support for an
experimental PGP or PEM based encryption/decryption protocol. Read about it
at http://hoohoo.ncsa.uiuc.edu/PEMPGP.html if you're interested.

--Rob