[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: skronk



On Feb 8, 10:52am, [email protected] wrote:
> Subject: Re: skronk
> THUS SPAKE "Kipp E.B. Hickman" <[email protected]>:
> # FYI:
> #
> # If you haven't already, I suggest you take a look at the SSL spec
> # (http://home.mcom.com/info/SSL.html)
>
> [ carbon to cypherpunks, whom i think would be interested]
>
> i've been looking at that.

good!

> It seems that a special port has to be allocated for each TCP service.
> So it's not clear to me how to find out if others on the net offer SMTP
> with SSL, or how I can put SSL into my X11 clients & server.  You see
> what I'm getting at?

It turns out you want seperate ports for each ssl-ized service because that way
the sysadmin types and the firewall guards are happy. They hate multiplexed
protocols because the standard off the shelf router equipment can't deal with
it.

> It also looks like some heavy equipment is necessary to manage these
> RSA certficiates.  Is there anything like PGP's keyring management for
> manipulating my web-of-trust?  Where do I find the docs?

You are right here. However, our observation is that an interesting chunk of
the world is moving towards using X.509 based certificate infrastructures for
many things. Everybody wants digital signatures and the related capabilities.
For more info, feel free to wade into the X.500 specs (not recommended for the
timid or weak of stomach :-), or go poke around on www.rsa.com and look into
their pkcs specs.

> # It does what you are trying to accomplish (I think), and it is already
deployed
> # in production code (the Netscape client and server products). In addition,
we
> # announced this week a free (for non-commerical use) reference
implementation.
> # The code will be out on the net as soon as the lawyers are happy :-)
>
> aha ... that's the missing link.  I'd certainly like to add it to the
> protocols that SKRONK advertizes and negotiates, but doing my own
> implementation of these complex protocols, and building machinery for
> using non-PGP certificates, was way more than I could handle.
>
> Please beat your lawyers to a pulp, until they make it useful for us.
> If I can't create generally useful things with it, and share it with
> thousands of others on the net for free, it's not going to be used by
> the cypherpunk community.
>
> I recommend you put your reference implementation in the public domain
> (except for the RSAREF component).  Or take Matt Blaze's crypto
> offerings from AT&T as your model.

The implementation will be out very shortly (it's already done and working). It
will be free for non-commerical usage, so hopefully most of the cypherpunks
will be happy (if there is such a state of affairs mind you :^)

We won't be having any of the copy-leftish stuff that is in the RSAREF license
- like not fiddling with the api, and having to give us back your hacks using
it...Of course we want to hear about what people are doing with it (thats
another purpose for the ssl-talk mailing list).


-- 
---------------------------------------------------------------------
Kipp E.B. Hickman          Netscape Communications Corp.
[email protected]          http://home.mcom.com/people/kipp/index.html