At 01:40 PM 1/23/96 -0800, Simon Spero allegedly wrote:

This thread definitely belongs as cypherpunks, as the whole point of the discussion is to debate the limits of what cryptography on its own can achieve.

Back, by popular demand... I didn't really want to continue this discussion here, but I received a couple mails requesting that I continue in this thread. I'm still uncomfortable with this, but I'll oblige.

What do you need as well as crypto before you can remove all firewalls?

I don't think this will ever happen. However, as long as we're dreaming, here's my 2 cents worth on a good start for a secure environment would look like. It's not complete by any stretch of an imagination, but it's a start: o Start with a Secure Operating System - Secure Computing's firewall is a good example of this. They have done some pretty neat things with Type Enforcement. o Add in some decent authentication/encryption/verification mechanisms/digital sigs, etc V-ONE's SmartGate, Fortezza, & Persona would do nicely. Hand-held token devices such as the ones mentioned above should work well. Of course, the user interface to these should be user-friendly. o Throw in a secure method of communication PGP, PGPphone, etc - which is *user-friendly* and which helps automate & manage the key-distribution process (securely, of course) o Mix in applications which have been re-written to be secure, fast, intuitive, user-friendly & interact well with encryption (various kinds). o Add in a central clearinghouse (don't care where) where the latest key expirations/compromises can be checked automatically to confirm that the e-mail you just received is still valid also wouldn't hurt. o Combine the best capabilities of Checkpoint's (firewall) lower-level filtering capabilities with V-0NE's upper-level filtering capabilities and add these to the secure Operating System's network defense mechanisms o Add a good dose of IPsec (sprinkling lightly) to secure the pipe (kindly omitting the Watergate plumbers) o Add user-friendly single sign-on capability (Kerberos, et al) o Mix in heavy encryption with (ridiculously long) keys (say the number of grains of sand stretched end-to-end to make a light year). 8^) o Make all of the above user-friendly & easy-to-implement on a large scale 8^) Throw the ingredients into a pot & stir briskly. Like I said earlier, it's just a start & not a whole solution by any stretch of the imagination. It's probably a nice wish list, though. It'd sure be nice if it came true. (If you think the above list is optimistic, you ought to see my Christmas Wish List). 8^) 8^) 8^)

Simon

(defun modexpt (x y n) "computes (x^y) mod n" (cond ((= y 0) 1) ((= y 1) (mod x n)) ((evenp y) (mod (expt (modexpt x (/ y 2) n) 2) n)) (t (mod (* x (modexpt x (1- y) n)) n))))

Best Regards, Frank Fortified Networks Inc. - Management & Information Security Consulting Phone: (317) 573-0800 - http://www.fortified.com/fortified/ <standard disclaimer> The opinions expressed above are of the author and may not necessarily be representative of Fortified Networks Inc.