THUS SPAKE "Kipp E.B. Hickman" <kipp@warp.mcom.com>: # FYI: # # If you haven't already, I suggest you take a look at the SSL spec # (http://home.mcom.com/info/SSL.html) [ carbon to cypherpunks, whom i think would be interested] i've been looking at that. It seems that a special port has to be allocated for each TCP service. So it's not clear to me how to find out if others on the net offer SMTP with SSL, or how I can put SSL into my X11 clients & server. You see what I'm getting at? It also looks like some heavy equipment is necessary to manage these RSA certficiates. Is there anything like PGP's keyring management for manipulating my web-of-trust? Where do I find the docs? # It does what you are trying to accomplish (I think), and it is already deployed # in production code (the Netscape client and server products). In addition, we # announced this week a free (for non-commerical use) reference implementation. # The code will be out on the net as soon as the lawyers are happy :-) aha ... that's the missing link. I'd certainly like to add it to the protocols that SKRONK advertizes and negotiates, but doing my own implementation of these complex protocols, and building machinery for using non-PGP certificates, was way more than I could handle. Please beat your lawyers to a pulp, until they make it useful for us. If I can't create generally useful things with it, and share it with thousands of others on the net for free, it's not going to be used by the cypherpunk community. I recommend you put your reference implementation in the public domain (except for the RSAREF component). Or take Matt Blaze's crypto offerings from AT&T as your model. best regards, strick
On Feb 8, 10:52am, strick@techwood.org wrote:
Subject: Re: skronk THUS SPAKE "Kipp E.B. Hickman" <kipp@warp.mcom.com>: # FYI: # # If you haven't already, I suggest you take a look at the SSL spec # (http://home.mcom.com/info/SSL.html)
[ carbon to cypherpunks, whom i think would be interested]
i've been looking at that.
good!
It seems that a special port has to be allocated for each TCP service. So it's not clear to me how to find out if others on the net offer SMTP with SSL, or how I can put SSL into my X11 clients & server. You see what I'm getting at?
It turns out you want seperate ports for each ssl-ized service because that way the sysadmin types and the firewall guards are happy. They hate multiplexed protocols because the standard off the shelf router equipment can't deal with it.
It also looks like some heavy equipment is necessary to manage these RSA certficiates. Is there anything like PGP's keyring management for manipulating my web-of-trust? Where do I find the docs?
You are right here. However, our observation is that an interesting chunk of the world is moving towards using X.509 based certificate infrastructures for many things. Everybody wants digital signatures and the related capabilities. For more info, feel free to wade into the X.500 specs (not recommended for the timid or weak of stomach :-), or go poke around on www.rsa.com and look into their pkcs specs.
# It does what you are trying to accomplish (I think), and it is already deployed # in production code (the Netscape client and server products). In addition, we # announced this week a free (for non-commerical use) reference implementation. # The code will be out on the net as soon as the lawyers are happy :-)
aha ... that's the missing link. I'd certainly like to add it to the protocols that SKRONK advertizes and negotiates, but doing my own implementation of these complex protocols, and building machinery for using non-PGP certificates, was way more than I could handle.
Please beat your lawyers to a pulp, until they make it useful for us. If I can't create generally useful things with it, and share it with thousands of others on the net for free, it's not going to be used by the cypherpunk community.
I recommend you put your reference implementation in the public domain (except for the RSAREF component). Or take Matt Blaze's crypto offerings from AT&T as your model.
The implementation will be out very shortly (it's already done and working). It will be free for non-commerical usage, so hopefully most of the cypherpunks will be happy (if there is such a state of affairs mind you :^) We won't be having any of the copy-leftish stuff that is in the RSAREF license - like not fiddling with the api, and having to give us back your hacks using it...Of course we want to hear about what people are doing with it (thats another purpose for the ssl-talk mailing list). -- --------------------------------------------------------------------- Kipp E.B. Hickman Netscape Communications Corp. kipp@netscape.com http://home.mcom.com/people/kipp/index.html
-----BEGIN PGP SIGNED MESSAGE----- In article <9502081137.ZM28317@warp.mcom.com>, Kipp E.B. Hickman <kipp@warp.mcom.com> wrote:
You are right here. However, our observation is that an interesting chunk of the world is moving towards using X.509 based certificate infrastructures for many things.
AFAIK, the only interesting chunk is those corps that want some form of "True Name" (and PKP/RSADSI, of course). Everybody else hates them with a passion. The Hastur crypto toolkit will support them, but they'll be viewed as special cases of web-of-trust signed keys with time-outs. - -- Todd Masco | "Change is not only necessary, it is inevitable." cactus@hks.net | - Frank Zappa Cactus' Homepage - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBLzkkGCoZzwIn1bdtAQE6BAF+LLnnx8PG3kIHOmK7kcXoKEThYeXtZgG2 Ke9yqab4kXHMyMSlAPT94P1eicQvhWDJ =BC1t -----END PGP SIGNATURE-----
From: "Kipp E.B. Hickman" <kipp@warp.mcom.com> You are right here. However, our observation is that an interesting chunk of the world is moving towards using X.509 based certificate infrastructures for many things. It's that interesting chunk that RSADSI is pointing out to you. When you see the world through the eyes of a vendor ... And you know, of course, that PEM really stands for Patent Extension Mechanism. I don't really blame you much. I mean TIPEM handles all the X.509 stuff just fine and PGP can't get out even the simplest of libraries, or even a partial library. Eric
I agree with much of what you say until you hit this: "Kipp E.B. Hickman" says:
You are right here. However, our observation is that an interesting chunk of the world is moving towards using X.509 based certificate infrastructures for many things.
Like who? Certainly not the internet standards people, no matter what certain people might tell you. The X.509 body may still be twitching but I don't think its heart is beating any longer. Perry
Will there be a commercially licensed version, so that things built on SSL can be used in freeware and payware? (Like the recently announced commercial version of RSAREF) Actually, make that "When will there be.." since otherwise SSL will be yet another standard one company uses. Such standards are less than useful. Adam Kipp wrote: | > Please beat your lawyers to a pulp, until they make it useful for us. | > If I can't create generally useful things with it, and share it with | > thousands of others on the net for free, it's not going to be used by | > the cypherpunk community. | > | > I recommend you put your reference implementation in the public domain | > (except for the RSAREF component). Or take Matt Blaze's crypto | > offerings from AT&T as your model. | | The implementation will be out very shortly (it's already done and working). It | will be free for non-commerical usage, so hopefully most of the cypherpunks | will be happy (if there is such a state of affairs mind you :^) | | We won't be having any of the copy-leftish stuff that is in the | RSAREF license - like not fiddling with the api, and having to give | us back your hacks using it...Of course we want to hear about what | people are doing with it (thats another purpose for the ssl-talk | mailing list). -- "It is seldom that liberty of any kind is lost all at once." -Hume
On Feb 8, 2:54pm, Adam Shostack wrote:
Subject: Re: skronk Will there be a commercially licensed version, so that things built on SSL can be used in freeware and payware? (Like the recently announced commercial version of RSAREF)
Actually, make that "When will there be.." since otherwise SSL will be yet another standard one company uses. Such standards are less than useful.
Yes, there will be. We haven't formalized it yet, but we have been getting enough interest to warrant it. Understand that this is not the main thrust of our business (selling source code), so it will certainly take some time to put it all together. -- --------------------------------------------------------------------- Kipp E.B. Hickman Netscape Communications Corp. kipp@netscape.com http://home.mcom.com/people/kipp/index.html
From: "Kipp E.B. Hickman" <kipp@warp.mcom.com> Yes, there will be. We haven't formalized it yet, but we have been getting enough interest to warrant it. Understand that this is not the main thrust of our business (selling source code), so it will certainly take some time to put it all together. Pardon me if I point out that when you write a new facility and want people to be compatible with it, there needs to be source code available for distribution. Perhaps this is merely a lapse in corporate self-awareness and fundamental lack of planning. I could be wrong. Eric
THUS SPAKE "Kipp E.B. Hickman" <kipp@warp.mcom.com>: # It does what you are trying to accomplish (I think), and it is already deployed # in production code (the Netscape client and server products). In addition, we # announced this week a free (for non-commerical use) reference implementation. # The code will be out on the net as soon as the lawyers are happy :-)
When we last left this story, only certificates from a few (one?) signatory authorities were going to be accepted by Netscape clients. Would this mean that competitors offering Netscape servers would have to go to Netscape to get their keys signed in order to interoperate with existing Netscape clients? I think this is too limiting. People should be able to choose their own key signers. This should be a configuration option. It should not be compiled into the client! That hurts your own flexibility as well as interfering with interoperatbiliy. Can I use this reference implementation and set up a SSL-compatible service today, or do I have to go to you and/or everyone's friends at RSA and get a signature first? As long as it is the latter I think that SSL is not going to be able to be a well-established standard. People are going to resent having to register with the authorities in order to set up a secure web page. Hal Finney hfinney@shell.portal.com
In article <199502082025.MAA00565@jobe.shell.portal.com>, hfinney@shell.portal.com writes:
THUS SPAKE "Kipp E.B. Hickman" <kipp@warp.mcom.com>: # It does what you are trying to accomplish (I think), and it is already deployed # in production code (the Netscape client and server products). In addition, we # announced this week a free (for non-commerical use) reference implementation. # The code will be out on the net as soon as the lawyers are happy :-)
When we last left this story, only certificates from a few (one?) signatory authorities were going to be accepted by Netscape clients. Would this mean that competitors offering Netscape servers would have to go to Netscape to get their keys signed in order to interoperate with existing Netscape clients? I think this is too limiting.
The SSL protocol doesn't define how certificates are truly validated: It does indicate what operations should be performed, but it doesn't say how you go about getting the data to perform the operations. Because there isn't a solid public-key infrastructure in place today, the Netscape Navigator product (1.0 and the up and coming 1.1) only support a few well known CA's that are built into the client (ick). The CA's that are supported today are: C=US, OU=Test CA, O=Netscape Communications Corp. C=US, O=RSA Data Security, Inc., OU=Commercial Certification Authority C=US, O=RSA Data Security, Inc., OU=Secure Server Certification Authority C=US, O=MCI, OU=internetMCI, OU=MALL So you see, you don't have to come to Netscape Communications Corp. to get a certificate. Of course, this list is kinda short, etc. etc. etc. We have IPRA's certificate too, but because IPRA has no financial backbone, we have not included it in the Navigator product.
People should be able to choose their own key signers. This should be a configuration option. It should not be compiled into the client! That hurts your own flexibility as well as interfering with interoperatbiliy.
Of course this sucks. We plan on fixing this in a future release of the navigator (after the 1.1 release).
Can I use this reference implementation and set up a SSL-compatible service today, or do I have to go to you and/or everyone's friends at RSA and get a signature first? As long as it is the latter I think that SSL is not going to be able to be a well-established standard. People are going to resent having to register with the authorities in order to set up a secure web page.
SSL requires server operators to be certified so that the end users (e.g. consumers) can have some faith in the data they are receiving, and believe in the privacy of the communications. IMHO, before you can get the consumers to truly believe, you must have a technically sound solution. It would be possible to modify the protocol to allow a non-certified server to operate. However, this sort of thing is subject to the man-in-the-middle attack. If we allow this sort of attack, and it turns out to be the only easy way for an attack to occur, guess what will happen? --------------------------------------------------------------------- Kipp E.B. Hickman Netscape Communications Corp. kipp@netscape.com http://home.mcom.com/people/kipp/index.html
participants (8)
-
Adam Shostack -
cactus@seabsd.hks.net -
eric@remailer.net -
Hal -
Kipp E.B. Hickman -
kipp@warp.mcom.com
-
Perry E. Metzger -
strick@techwood.org