On Thu Sep 21 21:59:00 1995: you scribbled...
In servalan.mailinglist.cypherpunks Tim May writes:
Why not a Gnu-style Web browser? I don't know if the original Mosaic can be used and added to, but I can imagine something like this could be done.
As for Web servers, you can get the source code for Plexus or CERN httpd off the net. Plus, doesn't Eric Young have someone's httpd already hacked to include SSL-compliant encryption?
Yes. This has been done. A set of patches for NCSA's HTTPd (for US folks only) can be found at http://petrified.cic.net/~altitude/ssl/howto.html I got the patches from the ssleay gang in AU, but i haven't seen them on their ftp site yet, so if you're outside the states, it'll be available rsn (i think...)
The question becomes why don't the free WWW software people out there now support crypto? Maybe they're simply not expert in or interested in crypto, or maybe they don't want to mess with the ITAR hassles.
Well, I have been trying for the last 3 months to put together a "free" WWW server to both commercial and non-commercial institutions in the states (I'm only concerned about people in the states for now because most of the important issues are moot if you're outside of the states). The main problems that I've run into are: * Crypto is a difficult topic to understand: I didn't know anything about crypto when i started. It's taken me this long to start understanding the fundamental concepts and such. And i'm still really in the dark about a lot of it. * Specific information about crypto, (especially licensing and other legal stuff) is difficult to find. Since there are so many patents/trade secrets regarding crypto libraries/algorithms/protocols, any developer MUST deal with the corresponding companies. That process is long and painful. * Money There are bound to be legal problems, for example, the RC4 situation. According to everything I've heard, it is legal to use RC4 because it doesn't have trade secret status anymore. Unfortunately, RSA will most likely bring suit to anyone who tries. * ITAR 'Nuff said. As for my plan to "provide" a ssl'ized web server, my plan is to put together a "package" which contains NCSA's HTTPd, SSLeay, and a version of RSARef. I would only charge whatever the licensing costs were to me (There's a minimum $20 cost for the commercial RSARef from Consensus, and I'm still working on the RC4 licensing). Oh yeah, one other problem is that companies like RSA are completely unaccustomed to dealing with people providing "free" products. For example, At first, RSA kept asking me for a "Business Plan" so that we could work out a percentage royalty that I would pay them for RC4 licensing. They were completely aghast when i said that I wanted to provide it for free. The pointed me to RSARef, but i told them that i wanted to provide it for commercial institutions too, so they asked for business plan, and the cycle continued.... (I've started working with them again, so things are progressing for now...). I know that I don't really have to go through the RC4 licensing with RSA, but i don't have the money to buy dinner, let alone go head to head with RSA in court. anyway, if y'all are interested, more info can be found at http://petrified.cic.net/~altitude/ssl/ssl.saga.html. I'd be happy to answer questions, but seeing the knowledge level on the cp list, i feel sort of inferior. Thanx. ...alex... Alex Tang altitude@cic.net http://petrified.cic.net/~altitude CICNet: Unix Support / InfoSystems Services / WebMaster / Programmer Viz-It!: Software Developer (Check out http://vizit.cic.net) UM-ITD: TaX.500 Developer (Check out http://petrified.cic.net/tax500)