-----BEGIN PRIVACY-ENHANCED MESSAGE----- Proc-Type: 4,MIC-CLEAR Content-Domain: RFC822 Originator-Certificate: MIICETCCAaYCBQJBAADUMA0GCSqGSIb3DQEBAgUAMGMxCzAJBgNVBAYTAlVTMSAw HgYDVQQKExdSU0EgRGF0YSBTZWN1cml0eSwgSW5jLjEyMDAGA1UECxMpVW5hZmZp bGlhdGVkIFVzZXIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNOTMxMDI2MDAw MDAwWhcNOTUxMDI2MjM1OTU5WjCBqjELMAkGA1UEBhMCVVMxEzARBgNVBBETCjk0 MTE0LTM2MTUxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMUUw QwYDVQQJFDxjL28gQ29uc2Vuc3VzIERldmVsb3BtZW50IENvcnBvcmF0aW9uLCA0 MTA0LTI0dGggU3RyZWV0IKY0MTkxGjAYBgNVBAMTEUNocmlzdG9waGVyIEFsbGVu MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAMDg2GDo+1J5OQ+Sx6Ub3WkKzJkBV1f+ uognXb5tTNOdskyKKmMpNivX3yNW9yLNxdaMSU7/s8Nq5Oh3Y7KMunUCAwEAATAN BgkqhkiG9w0BAQIFAANWAAEnzrJ1IFNscUI4zJl7HjZIw4rR2Zmh7nJ0qVH55X72 DU8VP/TBdiEWbhfM1qMthQqmnTNYZ9aq7J1d54nRMbk0ccqSapmqknaKiWqdCXBj Qcxg88p= Issuer-Certificate: MIIB/jCCAWsCBQIFAAABMA0GCSqGSIb3DQEBAgUAMFwxCzAJBgNVBAYTAlVTMSAw HgYDVQQKExdSU0EgRGF0YSBTZWN1cml0eSwgSW5jLjErMCkGA1UECxMiQ29tbWVy Y2lhbCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05MzA1MDEwMDAwMDBaFw05 ODA0MzAyMzU5NTlaMGMxCzAJBgNVBAYTAlVTMSAwHgYDVQQKExdSU0EgRGF0YSBT ZWN1cml0eSwgSW5jLjEyMDAGA1UECxMpVW5hZmZpbGlhdGVkIFVzZXIgQ2VydGlm aWNhdGlvbiBBdXRob3JpdHkwcDANBgkqhkiG9w0BAQEFAANfADBcAlUxe5CmA5dy igi8ZWJpGJdctHi5wvnIVcG9aupi7+ym5hDyFtVLEeJy5U31xIHz/RSoRJvy0RiY LtSUOZWWlHol6aEzss1lEknAZNX1aluc+ia7NuvxAgMBAAEwDQYJKoZIhvcNAQEC BQADfgBe/pia8Oo46rbZlEZE5S0JDsrqWRS5v2ia0D55lJHQqr5vLY0pJy4sSbcp 0r7ZihMMEEO4o8Mu5ZjM8F1ZfEXPy0mWaHPoVxvb13sXgo17Q9m2U58hvjI72U0m nyB7fXhsjlnFSm8PN0zaTx6RRv8dxvyC42V2mPz6xciQcw== MIC-Info: RSA-MD5,RSA, BVNiXNeTZzv5ChVt/OzLHOvgQ0XbSIW5GsUV/Da58fSVFcxc+OF2R6MMH3NxcWPu tlpZNMVi51vRzw0pLH2psg== Date: Wed, 23 Mar 1994 14:41:00 -0800 Subject: ARTICLE - Two Updates Make for Digital Signatures in Email From: Christopher Allen <consensus@netcom.com> Reply-To: Christopher Allen <consensus@netcom.com> Originator: Christopher Allen <consensus@netcom.com> Organization: Consensus Development Corporation, San Francisco, CA USA Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Sender: consens@netcom.com X-Last-Updated: 1994/03/23 X-Text-Source: ftp://netcom7.netcom.com/pub/consensus/text/Two_Updates_Dig_Sig.txt X-HTML-Source: ftp://netcom7.netcom.com/pub/consensus/www/Two_Updates_Dig_Sig.html Summary: This article is about two recent software updates, RIPEM 1.2 and RSAREF 2.0, which are significanct to the progress of using digital signatures in electronic mail. Keywords: article, christopher allen, consensus development, ripem, ripem/sig, rsaref, digital, signature, electronic, mail, email, security, privacy, privacy enhanced mail, pem, export, decryption encryption, cryptography, authentication, rsa data security, pgp, pretty good privacy, software, license, patent TWO UPDATES MAKE FOR DIGITAL SIGNATURES IN EMAIL ================================================ by Christopher Allen <consensus@netcom.com> Copyright (c)1994 by Consensus Development Corporation--All Rights Reserved. See the end of this article for the full copyright notice. DIGITAL SIGNATURES - ------------------ One of the real up-and-coming uses of encryption technology is for applying digital ``signatures'' to various electronic documents. Such signatures are not forgeable and guarantee that a document originates with its author. If Dartmouth College had such a system in place recently, a message impersonating a faculty member announcing the cancellation of an exam might have been avoided. Digital signatures can also be used to detect viruses before infected files execute. Up to now, however, digitally signing documents has not been an easy task. The first hurdle has been an inability to export the technology overseas, making it virtually impossible to standardize on a signature method. Secondly, it has been difficult to license the technology patents involved. The use of a freeware software utility called Pretty Good Privacy (PGP) has caused some difficulties as well. Since PGP has already found its way overseas and has gained some popularity, in particular because US digital signature software has not been easily exportable. In the United States, many organizations are reluctant to use PGP because of its questionable patent status. In addition, its author, Phil Zimmermann, is under investigation for possible export violations. These problems have kept organizations from adopting PGP as a standard. Two recent announcements have significantly changed things. The first announcement is the release of two new versions of RIPEM, one called RIPEM, the other called RIPEM/SIG. RIPEM is a free version of the Internet Privacy Enhanced Mail (PEM) standard implemented by Mark Riordan of Michigan State University. RIPEM/SIG is a subset of RIPEM that allows users to digitally sign their e-mail documents but does not allow encryption or decryption. What is significant about this announcement is that Riordan--in cooperation with RSA Data Security, Inc--has received a ``commodities jurisdiction'' ruling which allows free and legal export of non-encrypting RIPEM/SIG outside of the US. This means both US and overseas users can now standardize on a single set of software, instead of only working with RIPEM inside the US and PGP outside. This release also addresses some of the complaints of PGP users: both RIPEM and RIPEM/SIG support a non-hierarchical trust model similar to PGP, and for US users the non-exportable version of RIPEM provides full triple-DES privacy. Even though the triple-DES RIPEM may not be exportable, Riordan is working with authors of independently developed PEM applications in other countries with the goal of 100% interoperability in a version 2.0 of RIPEM. Until that time, since RIPEM/SIG is free and exportable, users could send a non-US or Canadian user both RIPEM/SIG and the message to be authenticated. The second announcement is from RSA Data Security, Inc. for the 2.0 version of RSAREF. RSAREF is a source code cryptographic toolkit designed specifically for writing PEM applications as well other fundamental cryptographic and digital signature tools. In fact, RIPEM is based on the RSAREF source code. What is most significant about this new RSAREF is that RSA Data Security has changed its license to make RSAREF much more accessible to both corporations and commercial and non-commercial developers. Freeware products (i.e., software where no fee other than media or bandwidth cost is requested) can use the RSAREF toolkit provided that the public has access to the product's source code. Though a new license agreement has not been finalized, I've been told by RSA that they will grant a royalty-free license for shareware products for up to $10,000 worth of gross annual sales if the shareware source code is available and the developers do not charge more than $50 a copy. Even if you are a commercial developer, I know from personal experience that RSA can be quite reasonable about licensing. They want this base level of technology adopted as widely as possible--just make RSA a reasonable offer and I think they'll take it. RIPEM and RIPEM/SIG are also beneficiaries of this new RSAREF license, which means that US companies can have privacy and authentication free of hassles from patent holders and export cops. MORE ON RIPEM/SIG - ----------------- The press release on RIPEM/SIG from Mark Riordan <mrr@scss3.cl.msu.edu> is at: ftp://ripem.msu.edu/pub/crypt/ripem/ripemsig/posting If you are a US or Canadian citizen, you can request an account for access to the full non-exportable RIPEM. Information on how to get access is at: ftp://guest.mu5k2d55:@ripem.msu.edu//pub/crypt/GETTING_ACCESS The binary files for the exportable RIPEM/SIG can be found in the directory: ftp://ripem.msu.edu/pub/crypt/ripem/ripemsig/binaries/ RSAREF/SIG Files available today are: ftp://ripem.msu.edu/pub/crypt/ripem/ripemsig/binaries/ ripemsig-68030-macintosh-commandline-1.2a.sit.hqx ftp://ripem.msu.edu/pub/crypt/ripem/ripemsig/binaries/ ripemsig-80x86-dos-vanilla-1.2a.exe ftp://ripem.msu.edu/pub/crypt/ripem/ripemsig/binaries/ ripemsig-hppa-hpux9.01-1.2a ftp://ripem.msu.edu/pub/crypt/ripem/ripemsig/binaries/ ripemsig-ibm-rs6000-aix3.2-1.2a ftp://ripem.msu.edu/pub/crypt/ripem/ripemsig/binaries/ ripemsig-sparc-sunos4.1.1-1.2a There does not seem to be separate documentation for RIPEM/SIG yet, so I guess you have to use the documentation for RIPEM 1.2a: ftp://ripem.msu.edu/pub/crypt/ripem/ripem.man ftp://ripem.msu.edu/pub/crypt/ripem/ripemusr.doc ftp://ripem.msu.edu/pub/crypt/ripem/ripemusr.txt A current list of RIPEM public keys is at: ftp://ripem.msu.edu/pub/crypt/ripem/pubkeys.txt There is an electronic-mail users group list PEM-DEV for discussions related to the development and deployment of Privacy Enhanced Mail (PEM) systems. Contributions to the list should be sent to ``pem-dev@tis.com''. Administrivia, e.g., additions to or deletions from the list should be sent to ``pem-dev-request@tis.com''. The Internet Multicasting Service <carl@radio.com> is now beginning to stamp all of their text files with RSA/RIPEM digital signatures. You can find their public key through a finger request to town.hall.org. For examples of stamped files, look at: ftp://town.hall.org/edgar/docs/ MORE ON RSAREF 2.0 - ------------------ Remember, even though you can use RSAREF to create exportable, non-encryption based digital signature software, the source code to RSAREF is not exportable itself, as it can do encryption. It is only available to US and Canadian citizens. The press release on RSAREF from Jim Bidzos <jim@chirality.rsa.com> is at: ftp://rsa.com//pub/RIPEM_SIG_announce.txt Information on what RSAREF is all about and what are the license terms are located at: ftp://rsa.com/rsaref/info.reply ftp://rsa.com/rsaref/license.txt To get access to a time dependent directory (it changes every few minutes) you will need to read the document: ftp://rsa.com/rsaref/README If you agree to it's terms, take the directory mentioned there and substitute it for the checksum in the directory ``U.S.-only 7c04e6''. The compressed tar archive of RSAREF is at (remember to change the time dependent directory!): ftp://rsa.com/rsaref/dist/U.S.-only-7c04e6/rsaref.tar.Z The ZIP archive of RSAREF is at (remember to change the time dependent directory!): ftp://rsa.com/rsaref/dist/U.S.-only-7c04e6/rsaref.zip You can also get the RSAREF via email by reading the RSAREF license agreement and sending the following message to <rsaref-administrator@rsa.com> (If your electronic mail address is located in Canada, please also send RSA your full name and mailing address; they'll need it to complete a Department of State export declaration): I acknowledge that I have read the RSAREF Program License Agreement and understand and agree to be bound by its terms and conditions, including without limitation its restrictions on foreign reshipment of the Program and information related to the Program. The electronic mail address to which I am requesting that the program be transmitted is located in the United States of America or Canada and I am an United States citizen, a Canadian citizen, or a permanent resident of the United States. The RSAREF Program License Agreement is the complete and exclusive agreement between RSA Laboratories and me relating to the Program, and supersedes any proposal or prior agreement, oral or written, and any other communications between RSA Laboratories and me relating to the Program. RSA Laboratories maintains an electronic-mail users group <rsaref-users@rsa.com> for discussions on RSAREF applications, bug fixes, etc. To join the users group, send electronic mail to <rsaref-users-request@rsa.com>. AUTHOR'S BIOGRAPHY - ------------------ Christopher Allen is president of Consensus Development Corporation, a microcomputer software development & consulting firm specializing in groupware (defined as software to support collaboration and intentional group processes), including such related areas as hypertext, online documentation, document architecture, electronic publishing, group knowledge-base support tools, and creation and management of shared collaborative spaces. Christopher has been active in a number of other computer industry areas. He runs the Mac Developers Forum and Newton Development SIG on America Online, and a Mosaic/World-Wide-Web area on groupware and collaboration. Christopher has written for a number of industry books and publications, including MacWorld and the Macintosh Bible. He has been moderator and speaker at MacWorld Expo's and Mactivity's groupware sessions, and speaks as a panelist on the subject of Macintosh groupware at other industry conferences. He was chairman of MacHack '93, a conference for Macintosh programming gurus, is on the MacHack Planning Board, and is a senior associate at the Foresight Institute. COPYRIGHT NOTICE - ---------------- This article was written by Christopher Allen <consensus@netcom.com> and is Copyright (c)1994 by Consensus Development Corporation--All Rights Reserved. This article, in whole or in part, may be used and shared in accordance the fair-use provisions of international copyright law: You may print or reproduce this article for non-commercial, personal, or educational purposes only, provided that the article is not modified, and that the copyright notice and this notice appear in all copies; You may quote, mention, cite, refer to, point, or describe this article in books, products, online services, or other media-- but you may not reproduce in whole or in part without permission. In addition, Consensus Development Corporation grants you permission to redistribute this article in electronic form, provided that you first notify Consensus Development and that you receive no fees, in excess of of normal online charges, for access to this article. Archiving, redistribution, republication, or derivation of this article on other terms, in any medium, including but not limited to electronic, CD-ROM, database, or publication in print, requires the explicit written or digitally signed consent from Consensus Development Corporation. These requirements are not meant to be restrictive--we are quite willing to make our articles available even for commercial use, provided that permission is requested. If you have any questions about these terms, or would like information about licensing rights from Consensus Development Corporation, please contact us via telephone 415/647-6383, or email Christopher Allen <consensus@netcom.com>. - ------------------------------------------------------------------------ ..Christopher Allen Consensus Development Corporation.. ..<consensus@netcom.com> 4104-24th Street #419.. .. San Francisco, CA 94114-3615.. .. o415/647-6383 f415/647-6384.. ..Mosaic/World-Wide-Web Front Door: .. ..ftp://netcom7.netcom.com/pub/consensus/www/ConsensusFrontDoor.html .. -----END PRIVACY-ENHANCED MESSAGE----- Created with RIPEM Mac 0.8.5 b2