[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Netscape Show - Security API



I was at the Netscape show and attended the Security API.  Looks pretty 
impresive.  The slides for this should be available a week from now on 
www.develop.netscape.com (?) for those interested.

This will be available in Netscape 4.0

Everything is a plug in module, and you can even replace the crappy DES 
and crippled RSA mods with stronger ones and even write a PGP signature 
checker/signed/encryptor, etc for both server and browser.  Very cool 
stuff. PGP was actually mentioned!

Catch is this: the international version is again crippled, however it is 
interesting to note that they got a module loadable crypto API to pass 
ITAR.  They did this by having the international versions check modules 
for signatures that say "US Export Allowed" :)

Possibilities around this (not that I am advocating any, just restating
what was said): export the USA version (of course breaking the ITAR),
modifying the code that checks the signature and allow it to load any
module, making a DIFF file between versions and exporting that (would this
be legal?)

They mentioned (someone asked) that the signature authentification 
methods that check a module are part of the same API, but hinted that 
they couldn't be overridden.  This could of course be tested, and 
hopefully they can be disabled. :)  But time will tell.

There was also some talk of expiring signatures - not sure if it was 
regarding modules or mail or key certificates.  If module signatures 
expire every six months that would make an interesting situation.

In the USA, you can write any module to do anything!  Would be cool to 
have a Netscape Mail PGP set of modules!!!  This could indeed solve the 
problem of having software that's secure and yet also easy to use.

What sucks is that someone in England couldn't write their own plug in 
modules to get better crypto for use in the international versions.  
Perfectly legal in the point of view of international laws and ITAR, but 
crippled!  Netscape says they won't sign non-USA produced crypto modules 
for the international versions -- or at least that was the message they gave.
The folks at Netscape said that the US Government (NSA wasn't mentioned) 
did not want the situation to exist that someone from outside could build 
stronger crypto and have it be imported to the USA... 

Looks like we have an Iron (Crypto) Curtain situation here.  In the end
the USA suffers since we are only one country, but I won't start ranting
on that here since it's been discussed to death already. :)

Several folks from outside the USA, one guy from England actually did 
express concerns at this problem.


Some of the authentification methods they were showing were smart cards 
and such, and one of the comapnies there was giving eval models out!

Litronic had a couple of models - one a serial port one (9600 only with 
512 bit RSA, also 768 bit, 1024 bit models will be due out in mid '97) 
the other plugs right into the keyboard grabbing your keystrokes before 
they reach the application! If you need eval models for your company to 
do development call'em at 714-545-6649 or go to contact them at 
litronic.com, whatever. :)  

The serial port model is likely to be the most useful since it (should?) 
work on PC's (Running Linux too!), Suns, Macs, and even C64's. :)  Not 
sure if the API for this is software or an RS232 protocol, if the latter, 
these will work with pretty much anything.

Not sure how trustworthy they are, after all you can't disassemble the
smart cards and check their properties to make sure there are no holes,
but possibly a dual method would work.  That is, send a message to the
card, have it sign or encrypt the message with the private key, take that
signature/encrypted message, and also ask the user to type in a second
passphrase (or use the same hashed differently) that's handled on the
local machine.  If the user has both, even if the card is crippled, you
are secure, and even if someone finds the card they won't be able to use 
it. (I won't go into rubber hose key recovery here or any other details, 
see Tim C. May's excellent Cyphernomicon if you need background info on 
that.)

Over all, the message I got from this is that Netscape is doing the right 
thing, they are for strong crypto - but are forced to abide by the 
ITARs.  They are for voluntary key escrow for companies, NOT mandatory 
key escrow.  They'd like to provide strong crypto functionality to all 
and would if not for the ITARs.

=============================================================================
 + ^ + |  Ray Arachelian    |FL|       KAOS KERAUNOS KYBERNETOS      |==/|\==
  \|/  |[email protected]|UL|__Nothing_is_true,_all_is_permitted!_|=/\|/\=
<--+-->| ------------------ |CG|What part of 'Congress shall make no |=\/|\/=
  /|\  | "A toast to Odin,  |KA| law abridging the freedom of speech'|==\|/==
 + v + |God of screwdrivers"|AK|        do you not understand?       |=======
===================http://www.brainlink.COM/~sunder/=========================
      If the Macintosh is a woman...  Then Windows is a Transvestite!
           ActiveX! ActiveX! Format Hard drive? Just say yes!