[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [interesting-people Home]
Subject: IP: Navigator, IE, & RSApkc-based SSL
>To: Dave Farber <farber@cis.upenn.edu> >From: Vin McLellan <vin@shore.net> > >[A bit of SSL/TLS history that may be of interest to IP. Regards, _Vin] > >---------------------------- > >To: Tom Weinstein <tomw@geocast.com> >From: Vin McLellan <vin@shore.net> >Subject: Navigator, IE & RSApck-based SSL >Cc: openssl-users@openssl.org, cypherpunks@algebra.com >Date: Fri, 3 Dec 1999 15:56:46 -0500 >Sender: owner-openssl-users@openssl.org > > > Nicolas Roumiantzeff <nicolasr@esker.fr> asked: > > >> Does anybody know why both IE and Netscape browser implement > >>exclusively RSA certificates? > >> > >> My feeling is that Microsoft and Netscape both made a deal with RSA > >> Security to get a "low" price RSA license at the condition of not > >> implementing DSA. > > Tom Weinstein <tomw@geocast.com>, Netscape cryptographer in a >previous life, replied: > > >As a matter of fact, Netscape does support DSA certs, but I never had a > >chance to implement DH key exchanges. The only reason I didn't implement > >it was lack of time. Every time we did schedules, I'd put it on the list; >every > >time, it would get knocked off the bottom by something else. The bottom > line > >is that there were no customers busting down our doors screaming that they > >needed DH, so we didn't do it. > > > > Maybe you could also comment on the original choice of RSApkc for >key exchange in the original SSL ciphersuite, Tom? Paul? There are a lot of >conspiratorial stories (Can you believe that?!) which circulate about >RSADSI's nefarious Imperial schemes to rule the world, and how Netscape and >SSL were Jim Bidzos' bloody sword and shield;-) > > My recollection is that a startup like Netscape in 1993, '94, or >even '95, would have been foolish to go with anything other than RSApkc for >key exchange. Do you agree? > > People forget how different the cryptographic landscape looked then >-- and how much of the environment for such a choice was shaped by the huge >background struggle between the crypto vendors and corporate OEMs, on one >hand, and the American NSA, which had a full-court campaign underway block >the widespread adoption of RSApkc and other un-GAKed crypto. > > As I recall, when the Netscape team was designing SSL, the >NSA-designed DSA was still the subject of considerable controversy, some >suspicion, and a great deal of market confusion. The El Gamal signature >option for D-H was then little known, and whether Stanford's D-H patents >covered El Gamal (a Cylink contention, then and later) was still a subject >of heated debate. > > Since both RSApkc and D-H/XX were patented, of course, so neither >offered a ready escape from crypto IP and royalties demands. > > [NSA was full-bore into its campaign to block the widespread >adoption of RSApkc. The NSA envisioned that its own PKI -- with its own >KEA algorithm for key agreement; DSA for digital sigs; and Skipjack for >symmetric crypt0 (all packaged in Capstone-based GAKed Fortezza) -- would >preempt PKI demand in both the government market and the private sector. US >federal volume purchasing was expected to define or redefine the PKI market.] > > [I've often thought that if the NSA had not so misjudged the >potential of WWW, Netscape, smartcards, and e-commerce (not to mention that >spook bureaucrats were painfully inept at marketing and forgetful of such >industrial-grade basics like field support, for all their power and >influence within the D.C. beltway) -- many more of us Yanks would be >carrying Fortezza PCMCIA cards today. Over the past 15 years, the NSA has >several times been right at the brink of getting control over US private >sector crypto and even private-sector network security en toto. The curious >might research the furor around Reagan's NSDD-145 proclamation some time;-] > > RSApkc was anathama to the Mandarin spooks of the NSA, largely >because RSApkc integrates encryption and digital signature capabilities -- >so the NSA could not restrict encryption, per se, while permitting the free >distribution of PKC-based authentication and integrity services. For damn >near a decade, RSADSI fought a bitter guerrilla war against the federal >effort to standardize the NSA-funded DSA, and channel the American PKI >market into the NSA's D-H-like KEA and Fortezza. > > [In one notable strategic ploy -- the source of many of those >conspiratorial rumors, perhaps -- RSADSI got control of the German Schoor >patents on digital signature techniques. In the crypto politics of the day, >the Schoor patents offered just enough of a timely patent-infringement >threat to the DSS to help many big American OEMs and financial services >firms to resist pressure from the NSA to switch from the RSA technology, >which many had already invested in, to the DSS and the NSA's Fortezza >infrastructure.] > > When Netscape trio was working on v.1 of SSL, of course, RSADSI and >Cylink (which controlled the Stanford patents, including Diffie-Hellman) >were still in an uneasy alliance for joint licensing. Even if Netscape was >making its SSL design choice a couple of years later, after the Public Key >Partnership broke up, I suspect the marketing strategies of RSADSI and >Cylink -- respective banner-bearers for the two leading PKC schemes -- >would have still left Netscape with a clear choice. > > While RSADSI bet on software crypto and was widely promoting its >BSAFE developers' toolkit, Cylink had instead focused on hardware crypto and >the government market. One type of expertise scaled into the zeitgeist >Netscape dreamed of for SSL. The other did not. (Which is not to even >mention the relative efficiency of RSApkc for key or cert verification.) > > For MS, when it sometime later turned on a proverbial dime to focus >on the Net and Netscape, it was probably an even easier decision to stay >with RSApkc and not load IE with D-H_DSS or alternatives. Redmond had >already purchased full rights to use RSApkc and the sundry RC ciphers, and >MS wanted the early IE to look just like Netscape's Navigator/Communicator;-) > > RSADSI's management also recognized the potential of the Web early, >and more clearly than many others. RSADSI, which was then still a hungry, >small, $10M/yr. crypto lab and and IP licensing firm -- not known for >passing up cash on the table -- offered Netscape full no-royalty access to >its public key and symmetric crypto in exchange for one percent of >Netscape's equity. (I think RSADSI also bet on SSL's then-strong >competitor, S-HTTP, with a major investment in Terisa, now part of Spyrus.) > > For a startup like Netscape, I presume the no-cash offer was >attractive, maybe even irresistable... even if all the other factors had not >lined up to tilt the SSL design team toward RSApkc. This is all off the top >of my head, but I think it is relatively accurate. Comments and corrections >from those directly involved in these events, or anyone else, would be very >welcome. > > Surete, > _Vin > >____________________________________________________ >OpenSSL Project http://www.openssl.org >User Support Mailing List openssl-users@openssl.org >Automated List Manager majordomo@openssl.org > >--------------------------------------- > >Date: Fri, 03 Dec 1999 14:25:25 -0800 >From: Tom Weinstein <tomw@geocast.com> >Organization: Geocast Network Systems >To: Vin McLellan <vin@shore.net> >CC: openssl-users@openssl.org, cypherpunks@algebra.com >Subject: Re: Navigator, IE & RSApck-based SSL > > >Vin McLellan wrote: > > > Tom Weinstein <tomw@geocast.com>, Netscape cryptographer in a > > previous life, replied: > > > >> As a matter of fact, Netscape does support DSA certs, but I never had a > >>chance to implement DH key exchanges. The only reason I didn't > >> implement it was lackof time. Every time we did schedules, I'd put it on >the > >> list; every time, it would get knocked off the bottom by something else. > >>The bottom line is thatthere were no customers busting down our doors > >>screaming that they needed DH, so we didn't do it. > > > > Maybe you could also comment on the original choice of RSApkc for > > key exchange in the original SSL ciphersuite, Tom? Paul? There are a > lot of > > conspiratorial stories (Can you believe that?!) which circulate about > > RSADSI's nefarious Imperial schemes to rule the world, and how Netscape > > and SSL were Jim Bidzos' bloody sword and shield;-) > > > > My recollection is that a startup like Netscape in 1993, '94, or > > even '95, would have been foolish to go with anything other than RSApkc for > > key exchange. Do you agree? > >I wasn't at Netscape at the time that SSL 1.0 and 2.0 were written, so my >information for that period is not eyewitness testimony. Be warned. :-) > >I think there were two major factors that motivated the choice of RSA. First >BSAFE was existing code that could just be used. In a startup, it's very >important that you not waste time reinventing wheels that you can buy off the >shelf. Finally, the most popular piece of crypto software at the time was >PGP, >which also used RSA. > >-- >What is appropriate for the master is not appropriate| Tom Weinstein >for the novice. You must understand Tao before | tomw@geocast.com >transcending structure. -- The Tao of Programming | > >--------------------------------------------- > >From: Sameer Parekh <sameer@bpm.ai> >Subject: Re: Navigator, IE & RSApck-based SSL >To: openssl-users@openssl.org >Date: Fri, 3 Dec 1999 15:19:56 -0800 (PST) >Cc: vin@shore.net, openssl-users@openssl.org, pkocher@cryptography.com, > cypherpunks@algebra.com > > > > > I think there were two major factors that motivated the choice of > RSA. First > > BSAFE was existing code that could just be used. In a startup, it's very > > important that you not waste time reinventing wheels that you can buy off > > the shelf. Finally, the most popular piece of crypto software at the time >was > > PGP, which also used RSA. > > I share Tom's opinion that the decision at Netscape was not >nearly as complex as Vin alludes to. I doubt there was a "conspiracy" >but simple issues such as PGP, the existence of BSAFE, and perhaps an >existing friendly relationship between Netscape and RSA senior >management affected the decision much more than complex security >policy concerns involving the NSA. > >-- >sameer > >-------------------------------------- > >From: EKR <ekr@rtfm.com> >To: openssl-users@openssl.org >Cc: Tom Weinstein <tomw@geocast.com>, pkocher@cryptography.com, > cypherpunks@algebra.com >Subject: Re: Navigator, IE & RSApck-based SSL >Date: 03 Dec 1999 16:37:17 -0800 > > >Vin McLellan <vin@shore.net> writes: > > > Maybe you could also comment on the original choice of RSApkc for > > key exchange in the original SSL ciphersuite, Tom? Paul? There are a > lot of > > conspiratorial stories (Can you believe that?!) which circulate about > > RSADSI's nefarious Imperial schemes to rule the world, and how Netscape and > > SSL were Jim Bidzos' bloody sword and shield;-) > >I'm not Tom or Paul, but as one of the S-HTTP designers and someone who >saw very early SSL specs, I'll put in my $.02. > >At the time (94-95) getting DH was no easier than getting RSA due >to the existence of PKP. Moreover, it was pretty clear that >RSA was the popular choice: There were certificate formats (X.509) >and an email format (PEM) based on it. From our perspective the >DH/DSS situation was much less evolved. In point of fact, a very >early draft of S-HTTP contained DH support, which was removed >after Burt Kaliski pointed out to us that it was underspecified. > >Moreover, RSA/PKP was very unwilling to grant a patent >license, preferring to sell you BSAFE and TIPEM, which were >very biased towards RSA. The DSS support was nonexistent >and the DH support (at least through BSAFE 3.0) was terrible. >(In point of fact, despite the fact that BSAFE includes DH, >when I added the the DH/DSS ciphersuites to Terisa's product, >I wrote the code myself rather than using BSAFE's). > >1998 seemed impossibly far away at the time and so it didn't >even occur to us to worry about the DH patent expiring. This >would not have been a convincing reason not to use RSA. > >-Ekr > >P.S. SSLv1 and v2 were not designed by Kocher et al. They were >designed by Kipp Hickman (also a Netscape employee) in the >fall of 1994. > >-- >[Eric Rescorla ekr@rtfm.com] > >---------------------------------------------- > >To: Tom Weinstein <tomw@geocast.com> >From: Vin McLellan <vin@shore.net> >Cc: openssl-users@openssl.org, pkocher@cryptography.com, > cypherpunks@algebra.com >Date: Fri, 3 Dec 1999 22:06:09 -0500 >Subject: Re: Navigator, IE & RSApck-based SSL > > > According to a well-informed government source, Vin McLellan wrote: > > >> Maybe you could also comment on the original choice of RSApkc for > >> key exchange in the original SSL ciphersuite, Tom? Paul? There are a > lot of > >> conspiratorial stories (Can you believe that?!) which circulate about > >> RSADSI's nefarious Imperial schemes to rule the world, and how Netscape > >> and SSL were Jim Bidzos' bloody sword and shield;-) > >> > >> My recollection is that a startup like Netscape in 1993, '94, or > >> even '95, would have been foolish to go with anything other than RSApkc > >> for key exchange. Do you agree? > > Tom Weinstein <tomw@geocast.com> graciously replied: > > >I wasn't at Netscape at the time that SSL 1.0 and 2.0 were written, so my > >information for that period is not eyewitness testimony. Be warned. :-) > > > >I think there were two major factors that motivated the choice of > RSA. First > >BSAFE was existing code that could just be used. In a startup, it's very > >important that you not waste time reinventing wheels that you can buy > off the > >shelf. Finally, the most popular piece of crypto software at the time > was PGP, > >which also used RSA. > > > Thanks. I should have mentioned PGP and PEM, of course! Probably >X509 and Rivest's MailSafe (to which PGP showed a remarkable >resemblence;-) too. > > I also don't disagree with Eric Rescorla or Sameer Parekh, two savvy >developers who stressed the importance of RSA's BSAFE toolkit, with its >inevitable biases. > > I was only rambling about the broader politech context as a way of >explaining why DH with DSS (what many younger people today suggest was the >obvious alternative PKC for SSL) was not then, or for several years later, >seen as a viable choice -- even if some prescient soul saw fit to factor the >1997 DH patent expiration into the design decision. > > The fact that DH -- and Fortezza's KEA, whose shadow then should not >be underestimated -- needed a royalty-free DSS was a major factor in the way >a lot of American OEMs evaluated their options for PKI and PKC-enabled apps >and products in 1994-1995. > > My humble apologies (and grateful thanks also) to Kipp Hickman -- >the Netscape crypto engineer who designed SSL v.1 and v.2 -- whose name I >should have mentioned. > > _Vin > >----------------------------------------- > >Date: Fri, 03 Dec 1999 20:46:38 -0800 >From: Paul Kocher <paul@cryptography.com> >To: EKR <ekr@rtfm.com>, openssl-users@openssl.org >Cc: Tom Weinstein <tomw@geocast.com>, paul@cryptography.com, > cypherpunks@algebra.com >References: <E11tzkz-0006pJ-00@nautilus.shore.net> >Subject: Re: Navigator, IE & RSApck-based SSL > > >Vin McLellan <vin@shore.net> writes: > > > > Maybe you could also comment on the original choice of RSApkc for > > > key exchange in the original SSL ciphersuite, Tom? Paul? There are a > > > lot of conspiratorial stories (Can you believe that?!) which circulate >about > > > RSADSI's nefarious Imperial schemes to rule the world, and how Netscape > > > and SSL were Jim Bidzos' bloody sword and shield;-) > >At 04:37 PM 12/3/99 -0800, EKR wrote: > > >I'm not Tom or Paul, but as one of the S-HTTP designers and someone who > >saw very early SSL specs, I'll put in my $.02. > > > >At the time (94-95) getting DH was no easier than getting RSA due > >to the existence of PKP. Moreover, it was pretty clear that > >RSA was the popular choice: There were certificate formats (X.509) > >and an email format (PEM) based on it. From our perspective the > >DH/DSS situation was much less evolved. In point of fact, a very > >early draft of S-HTTP contained DH support, which was removed > >after Burt Kaliski pointed out to us that it was underspecified. > > > >Moreover, RSA/PKP was very unwilling to grant a patent > >license, preferring to sell you BSAFE and TIPEM, which were > >very biased towards RSA. The DSS support was nonexistent > >and the DH support (at least through BSAFE 3.0) was terrible. > >(In point of fact, despite the fact that BSAFE includes DH, > >when I added the the DH/DSS ciphersuites to Terisa's product, > >I wrote the code myself rather than using BSAFE's). > > > >1998 seemed impossibly far away at the time and so it didn't > >even occur to us to worry about the DH patent expiring. This > >would not have been a convincing reason not to use RSA. > > > >-Ekr > > > >P.S. SSLv1 and v2 were not designed by Kocher et al. They were > >designed by Kipp Hickman (also a Netscape employee) in the > >fall of 1994. > > >This pretty much matches my take. Although I wasn't involved with SSL 2, >the choice of RSA makes sense even ignoring the licensing issues -- people >trust the RSA algorithm, while DSA was relatively new and was the subject >trustworthiness/patent status concerns. The main purpose of SSL was >to help people to trust the web with personal data like credit card numbers, >so perceptions did matter. Also, Verisign only supported RSA (no >coincidence, since they were spun-off from RSA). > >On the SSL 3.0 design, Phil, Alan, and I had pretty much complete freedom to >do whatever made sense, except that we had to support Fortezza and weak >crypto (which none of us were enthusiastic about). We did what we could >-- for >example, each party uses a different 40-bit key to squeeze an extra bit >of effective security, strong authentication is used no matter what algorithm >is selected, etc. For the benefit of non-web uses and standards bodies >we added the non-RSA options, but never expected it to gain much use on >the web. > >- Paul > > > >_________________________________________________________________ >Paul Kocher Cryptography Research, Inc. >Tel: 415.397.0123 (fax: -0127) 607 Market St., 5th Floor >E-mail: paul@cryptography.com San Francisco, CA 94105 > >-------------------------------------- > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [interesting-people Home]
Powered by eList eXpress LLC