[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: "Gnusaic"? Why not a Gnu-Style Web Browser?



On Thu Sep 21 21:59:00 1995: you scribbled...
> 
> In servalan.mailinglist.cypherpunks Tim May writes:
> >Why not a Gnu-style Web browser? I don't know if the original Mosaic can be
> >used and added to, but I can imagine something like this could be done.
> 
> As for Web servers, you can
> get the source code for Plexus or CERN httpd off the net.  Plus, doesn't
> Eric Young have someone's httpd already hacked to include SSL-compliant
> encryption?

Yes.  This has been done.  A set of patches for NCSA's HTTPd (for US 
folks only) can be found at

	http://petrified.cic.net/~altitude/ssl/howto.html

I got the patches from the ssleay gang in AU, but i haven't seen them on
their ftp site yet, so if you're outside the states, it'll be available
rsn (i think...)

> The question becomes why don't the free WWW software people out there now
> support crypto?  Maybe they're simply not expert in or interested in crypto,
> or maybe they don't want to mess with the ITAR hassles. 

Well, I have been trying for the last 3 months to put together a "free"
WWW server to both commercial and non-commercial institutions in the
states (I'm only concerned about people in the states for now because most
of the important issues are moot if you're outside of the states).

The main problems that I've run into are:

   * Crypto is a difficult topic to understand:
       I didn't know anything about crypto when i started.  It's taken me
       this long to start understanding the fundamental concepts and such.
       And i'm still really in the dark about a lot of it.

   * Specific information about crypto, (especially licensing and other
     legal stuff) is difficult to find.
       Since there are so many patents/trade secrets regarding crypto
       libraries/algorithms/protocols, any developer MUST deal with the
       corresponding companies.  That process is long and painful.

   * Money
       There are bound to be legal problems, for example, the RC4
       situation.  According to everything I've heard, it is legal to use
       RC4 because it doesn't have trade secret status anymore.
       Unfortunately, RSA will most likely bring suit to anyone who tries.  

   * ITAR
       'Nuff said.

As for my plan to "provide" a ssl'ized web server, my plan is to put
together a "package" which contains NCSA's HTTPd, SSLeay, and a version of
RSARef.   I would only charge whatever the licensing costs were to me
(There's a minimum $20 cost for the commercial RSARef from Consensus, and
I'm still working on the RC4 licensing).

Oh yeah, one other problem is that companies like RSA are completely
unaccustomed to dealing with people providing "free" products.  For
example, At first, RSA kept asking me for a "Business Plan" so that we
could work out a percentage royalty that I would pay them for RC4
licensing.  They were completely aghast when i said that I wanted to
provide it for free.  The pointed me to RSARef, but i told them that i
wanted to provide it for commercial institutions too, so they asked for
business plan, and the cycle continued....  (I've started working with
them again, so things are progressing for now...).  I know that I don't
really have to go through the RC4 licensing with RSA, but i don't have the
money to buy dinner, let alone go head to head with RSA in court.

anyway, if y'all are interested, more info can be found at
http://petrified.cic.net/~altitude/ssl/ssl.saga.html.  I'd be happy to
answer questions, but seeing the knowledge level on the cp list, i feel
sort of inferior.

Thanx.

...alex...

     Alex Tang  [email protected]   http://petrified.cic.net/~altitude
   CICNet: Unix Support / InfoSystems Services / WebMaster / Programmer
       Viz-It!: Software Developer (Check out http://vizit.cic.net)
  UM-ITD: TaX.500 Developer (Check out http://petrified.cic.net/tax500)