At 7:00 PM -0800 12/31/97, EKR wrote:
In message <v03102805b0d08d63c7cc(_at_)[208(_dot_)129(_dot_)55(_dot_)202]>,
Steve Schear writes:
How about funding programs such as Fortify, which patch browsers to enable
128
-bit SSL with all willing servers (whether or not they have supercerts)?
That seems like a fine plan, but it doesn't really speak to what
Netscape ships as a Netscape product, does it?
-Ekr
Sure it does. (Hello, are you listening?) Fortify modifies the
currently shipping, currently export approved
Navigator/Communicator, allowing users anywhere to use its 128-bit
SSL whenever they connect with a 128-bit capable SSL server (say a
cypherpunk server at XS4all in the Netherlands). Normally, 128-bit
SSL is only enabled when these browsers connect with an SSL server
which has a "supercert" issued with U.S. gov't approval (mostly to
U.S. banks).
So strong crypto is now available, via an easily applied patch, to
the most widely used export approved product.
Sorry I wasn't clear. The point I was trying to make was
that Netscape would still have to ship their export products, no?
Otherwise Fortify doesn't work, right? That said, there will be
a lot of people who don't bother to upgrade (just like there
are a lot of Americans who don't bother to get the domestic
Netscape.) Consequently, we've still got a lot of export
SSL implementations floating around. Does that seem like a
reasonable assessment of the situation to you?
Incidentally, I think this is probably a dangerous course of
action. The EAR <http://www.bxa.doc.gov/supp6.htm> 7 day review
criteria explicitly state:
(iv) The software must not allow the alteration of the data
encryption mechanism and its associated key spaces by the user or
any other program
It seem that Fortify is a constructive proof that the program
in question violates this criterion. That doesn't mean it's
ineligible for CJ completely but I wouldn't want to try to get
approval for it either.
-Ekr
[Eric Rescorla Terisa Systems, Inc.]
"Put it in the top slot."