[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Proposed Extensions to TLS for OpenPGP

To: Steve Schear <schear@xxxxxxxx>
Subject: Re: Proposed Extensions to TLS for OpenPGP
From: EKR <ekr@xxxxxxxxxx>
Date: Thu, 01 Jan 1998 12:29:57 -0800
Cc: ietf-tls@xxxxxxxxxxxxx, ietf-open-pgp@xxxxxxx, ekr@xxxxxxxxxxxxxxxxxxxx
In-reply-to: Your message of "Thu, 01 Jan 1998 10:58:03 PST." <>
Sender: owner-ietf-open-pgp@xxxxxxx

> At 7:00 PM -0800 12/31/97, EKR wrote:
> >In message <>, Steve Schear writes:
> >>How about funding programs such as Fortify, which patch browsers to enable 128
> >>-bit SSL with all willing servers (whether or not they have supercerts)?
> >That seems like a fine plan, but it doesn't really speak to what
> >Netscape ships as a Netscape product, does it?
> >
> >-Ekr
>  Sure it does. (Hello, are you listening?) Fortify modifies the
> currently shipping, currently export approved
> Navigator/Communicator, allowing users anywhere to use its 128-bit
> SSL whenever they connect with a 128-bit capable SSL server (say a
> cypherpunk server at XS4all in the Netherlands).  Normally, 128-bit
> SSL is only enabled when these browsers connect with an SSL server
> which has a "supercert" issued with U.S. gov't approval (mostly to
> U.S. banks).
>  So strong crypto is now available, via an easily applied patch, to
> the most widely used export approved product.
Sorry I wasn't clear. The point I was trying to make was
that Netscape would still have to ship their export products, no?
Otherwise Fortify doesn't work, right? That said, there will be
a lot of people who don't bother to upgrade (just like there
are a lot of Americans who don't bother to get the domestic
Netscape.) Consequently, we've still got a lot of export
SSL implementations floating around. Does that seem like a 
reasonable assessment of the situation to you?

Incidentally, I think this is probably a dangerous course of
action. The EAR <http://www.bxa.doc.gov/supp6.htm> 7 day review
criteria explicitly state:

   (iv) The software must not allow the alteration of the data 
encryption mechanism and its associated key spaces by the user or 
any other program

It seem that Fortify is a constructive proof that the program
in question violates this criterion. That doesn't mean it's
ineligible for CJ completely but I wouldn't want to try to get
approval for it either.

-Ekr
[Eric Rescorla                             Terisa Systems, Inc.]
		"Put it in the top slot."

Follow-Ups:
- Re: Proposed Extensions to TLS for OpenPGP
  - From: Steve Schear
- Re: Proposed Extensions to TLS for OpenPGP
  - From: William H. Geiger III

References:
- Re: Proposed Extensions to TLS for OpenPGP
  - From: Steve Schear

Prev by Date: Re: Key Extraction odd behavior ???
Next by Date: Re: Proposed Extensions to TLS for OpenPGP
Previous by thread: Re: Proposed Extensions to TLS for OpenPGP
Next by thread: Re: Proposed Extensions to TLS for OpenPGP
Index(es):
- Date
- Thread