I was at the Netscape show and attended the Security API. Looks pretty impresive. The slides for this should be available a week from now on www.develop.netscape.com (?) for those interested. This will be available in Netscape 4.0 Everything is a plug in module, and you can even replace the crappy DES and crippled RSA mods with stronger ones and even write a PGP signature checker/signed/encryptor, etc for both server and browser. Very cool stuff. PGP was actually mentioned! Catch is this: the international version is again crippled, however it is interesting to note that they got a module loadable crypto API to pass ITAR. They did this by having the international versions check modules for signatures that say "US Export Allowed" :) Possibilities around this (not that I am advocating any, just restating what was said): export the USA version (of course breaking the ITAR), modifying the code that checks the signature and allow it to load any module, making a DIFF file between versions and exporting that (would this be legal?) They mentioned (someone asked) that the signature authentification methods that check a module are part of the same API, but hinted that they couldn't be overridden. This could of course be tested, and hopefully they can be disabled. :) But time will tell. There was also some talk of expiring signatures - not sure if it was regarding modules or mail or key certificates. If module signatures expire every six months that would make an interesting situation. In the USA, you can write any module to do anything! Would be cool to have a Netscape Mail PGP set of modules!!! This could indeed solve the problem of having software that's secure and yet also easy to use. What sucks is that someone in England couldn't write their own plug in modules to get better crypto for use in the international versions. Perfectly legal in the point of view of international laws and ITAR, but crippled! Netscape says they won't sign non-USA produced crypto modules for the international versions -- or at least that was the message they gave. The folks at Netscape said that the US Government (NSA wasn't mentioned) did not want the situation to exist that someone from outside could build stronger crypto and have it be imported to the USA... Looks like we have an Iron (Crypto) Curtain situation here. In the end the USA suffers since we are only one country, but I won't start ranting on that here since it's been discussed to death already. :) Several folks from outside the USA, one guy from England actually did express concerns at this problem. Some of the authentification methods they were showing were smart cards and such, and one of the comapnies there was giving eval models out! Litronic had a couple of models - one a serial port one (9600 only with 512 bit RSA, also 768 bit, 1024 bit models will be due out in mid '97) the other plugs right into the keyboard grabbing your keystrokes before they reach the application! If you need eval models for your company to do development call'em at 714-545-6649 or go to contact them at litronic.com, whatever. :) The serial port model is likely to be the most useful since it (should?) work on PC's (Running Linux too!), Suns, Macs, and even C64's. :) Not sure if the API for this is software or an RS232 protocol, if the latter, these will work with pretty much anything. Not sure how trustworthy they are, after all you can't disassemble the smart cards and check their properties to make sure there are no holes, but possibly a dual method would work. That is, send a message to the card, have it sign or encrypt the message with the private key, take that signature/encrypted message, and also ask the user to type in a second passphrase (or use the same hashed differently) that's handled on the local machine. If the user has both, even if the card is crippled, you are secure, and even if someone finds the card they won't be able to use it. (I won't go into rubber hose key recovery here or any other details, see Tim C. May's excellent Cyphernomicon if you need background info on that.) Over all, the message I got from this is that Netscape is doing the right thing, they are for strong crypto - but are forced to abide by the ITARs. They are for voluntary key escrow for companies, NOT mandatory key escrow. They'd like to provide strong crypto functionality to all and would if not for the ITARs. ============================================================================= + ^ + | Ray Arachelian |FL| KAOS KERAUNOS KYBERNETOS |==/|\== \|/ |sunder@brainlink.com|UL|__Nothing_is_true,_all_is_permitted!_|=/\|/\= <--+-->| ------------------ |CG|What part of 'Congress shall make no |=\/|\/= /|\ | "A toast to Odin, |KA| law abridging the freedom of speech'|==\|/== + v + |God of screwdrivers"|AK| do you not understand? |======= ===================http://www.brainlink.COM/~sunder/========================= If the Macintosh is a woman... Then Windows is a Transvestite! ActiveX! ActiveX! Format Hard drive? Just say yes!