At 7:00 PM -0800 12/31/97, EKR wrote:
In message <v03102805b0d08d63c7cc(_at_)[208(_dot_)129(_dot_)55(_dot_)202]>,
Steve Schear writes:
At 2:25 PM -0800 12/31/97, EKR wrote:
Will Price <wprice(_at_)pgp(_dot_)com> writes:
At 11:15 PM -0800 12/30/97, Eric Rescorla wrote:
[big snip]
Try to solve the following two examples:
Netscape and Microsoft. Netscape has downloads off their web site.
They want them to be easy. That means that the user can just
point and click. That means the crypto must be exportable or none
at all. Which do you suggest?
Next consider Microsoft. They embed their browser in the OS (at
least for now.). They want to ship that to foreigners. Again,
the crypto has to be exportable or nonexistent. Which do you
suggest?
So, what do you suggest these companies do?
How about funding programs such as Fortify, which patch browsers to enable 128
-bit SSL with all willing servers (whether or not they have supercerts)?
That seems like a fine plan, but it doesn't really speak to what
Netscape ships as a Netscape product, does it?
-Ekr
Sure it does. (Hello, are you listening?) Fortify modifies the currently
shipping, currently export approved Navigator/Communicator, allowing users
anywhere to use its 128-bit SSL whenever they connect with a 128-bit capable
SSL server (say a cypherpunk server at XS4all in the Netherlands). Normally,
128-bit SSL is only enabled when these browsers connect with an SSL server
which has a "supercert" issued with U.S. gov't approval (mostly to U.S. banks).
So strong crypto is now available, via an easily applied patch, to the most
widely used export approved product.
--Steve