Re: [rc5] Netscape 128bits

David Terrell (dterrell@uiuc.edu)
Tue, 24 Jun 1997 19:30:02 -0500


On Tue, Jun 24, 1997 at 07:52:00PM -0400, Darrell Kindred wrote:

> It's not clear to me that Netscape is being allowed to
> export browsers with unrestricted 128-bit encryption.
> Note the key word "certified" in this excerpt from the press
> release:
>
> Netscape Communicator . . . would allow users worldwide
> to enjoy far greater protection for their information
> when communicating with certified, strong encryption
> applications on Intranets and the Internet.
>

Most SSL sites use a single registered server. So even if someone
can spoof your dns or your site gets attacked, the third party
site will still have your public key. Adds a level of reliability
and security. Also, it means that instead of just putting up
and https server, you also have make another agreement with
(usually Verisign or a similar organization) an independent
agency.

As always, feel free to speak up if I'm completely wrong.

> This later excerpt again suggests that the 128-bit
> encryption will only be enabled when you're communicating
> with a certified bank:
>
> This will allow Netscape Communicator users to access
> their banking information from almost anywhere in the
> world and communicate using strong encryption with those
> banks which have implemented Netscape SuiteSpot servers
> and completed the certification process.

Er, I wouldn't be surprised if that's someone oversimplifying
the above situation.

> It looks like non-U.S. Netscape users will be able to
> communicate securely with certified banks, but it's not
> clear to me that they will be able to communicate securely
> with other kinds of companies or individuals either inside
> or outside the U.S.
>
> - Darrell

It's a step. Not great, not what we want. But it's a step.

-- 
Dave Terrell
dterrell@uiuc.edu
finger dterrell@uiuc.edu for pgp key