Using S-HTTP

As we described in 4.2.2, “S-HTTP” on page 60, S-HTTP permits a great many combinations of cryptographic features. As you might expect, this diversity can make document preparation for S-HTTP rather complex.

There are two pieces of information that you have to define:
The cryptographic features that you want to use. These are defined in CRTPTOPTS statements, either as part of HTML anchors or in a protection directive in the server configuration file.
The public key that your server will use for signing and key exchange. The key will be contained in a certificate (see Chapter 5, “A Web of Trust: Managing Encryption Keys” on page 83 for a discussion about certificates). The certificate can either be included in the HTML source directly or it can be in a separate file that you reference.

S-HTTP Example Using Security Imbeds
In this example we will link to a document with S-HTTP security using the following cryptographic options:

Server to sign all messages
Client to sign all messages
Encryption using DES for server to client and RC2 for client to server (that should confuse the opposition)

In this example we will reference the certificate information remotely, instead of including it in the HTML code.

The first thing to do is to check that security imbeds are enabled on the server. From the Server welcome page select Configuration and Administration Forms and then Security Configuration. On that page you will find the S-HTTP configuration options, as shown in Figure 31 on page 73. The default options permit security imbeds for HTML files with a file extension of .shtml.