1994-03-23 - ARTICLE - Two Updates Make for Digital Signatures in Email

Header Data

From: Christopher Allen <consensus@netcom.com>
To: cypherpunks@toad.com
Message Hash: 90b4c6eb617aff16a57c870ff03b55b6c34b2c7026c19af43362c6841a2be674
Message ID: <9403232252.AA11095@apple.com>
Reply To: N/A
UTC Datetime: 1994-03-23 22:54:09 UTC
Raw Date: Wed, 23 Mar 94 14:54:09 PST

Raw message

From: Christopher Allen <consensus@netcom.com>
Date: Wed, 23 Mar 94 14:54:09 PST
To: cypherpunks@toad.com
Subject: ARTICLE - Two Updates Make for Digital Signatures in Email
Message-ID: <9403232252.AA11095@apple.com>
MIME-Version: 1.0
Content-Type: text/plain


-----BEGIN PRIVACY-ENHANCED MESSAGE-----
Proc-Type: 4,MIC-CLEAR
Content-Domain: RFC822
Originator-Certificate:
 MIICETCCAaYCBQJBAADUMA0GCSqGSIb3DQEBAgUAMGMxCzAJBgNVBAYTAlVTMSAw
 HgYDVQQKExdSU0EgRGF0YSBTZWN1cml0eSwgSW5jLjEyMDAGA1UECxMpVW5hZmZp
 bGlhdGVkIFVzZXIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNOTMxMDI2MDAw
 MDAwWhcNOTUxMDI2MjM1OTU5WjCBqjELMAkGA1UEBhMCVVMxEzARBgNVBBETCjk0
 MTE0LTM2MTUxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMUUw
 QwYDVQQJFDxjL28gQ29uc2Vuc3VzIERldmVsb3BtZW50IENvcnBvcmF0aW9uLCA0
 MTA0LTI0dGggU3RyZWV0IKY0MTkxGjAYBgNVBAMTEUNocmlzdG9waGVyIEFsbGVu
 MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAMDg2GDo+1J5OQ+Sx6Ub3WkKzJkBV1f+
 uognXb5tTNOdskyKKmMpNivX3yNW9yLNxdaMSU7/s8Nq5Oh3Y7KMunUCAwEAATAN
 BgkqhkiG9w0BAQIFAANWAAEnzrJ1IFNscUI4zJl7HjZIw4rR2Zmh7nJ0qVH55X72
 DU8VP/TBdiEWbhfM1qMthQqmnTNYZ9aq7J1d54nRMbk0ccqSapmqknaKiWqdCXBj
 Qcxg88p=
Issuer-Certificate:
 MIIB/jCCAWsCBQIFAAABMA0GCSqGSIb3DQEBAgUAMFwxCzAJBgNVBAYTAlVTMSAw
 HgYDVQQKExdSU0EgRGF0YSBTZWN1cml0eSwgSW5jLjErMCkGA1UECxMiQ29tbWVy
 Y2lhbCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05MzA1MDEwMDAwMDBaFw05
 ODA0MzAyMzU5NTlaMGMxCzAJBgNVBAYTAlVTMSAwHgYDVQQKExdSU0EgRGF0YSBT
 ZWN1cml0eSwgSW5jLjEyMDAGA1UECxMpVW5hZmZpbGlhdGVkIFVzZXIgQ2VydGlm
 aWNhdGlvbiBBdXRob3JpdHkwcDANBgkqhkiG9w0BAQEFAANfADBcAlUxe5CmA5dy
 igi8ZWJpGJdctHi5wvnIVcG9aupi7+ym5hDyFtVLEeJy5U31xIHz/RSoRJvy0RiY
 LtSUOZWWlHol6aEzss1lEknAZNX1aluc+ia7NuvxAgMBAAEwDQYJKoZIhvcNAQEC
 BQADfgBe/pia8Oo46rbZlEZE5S0JDsrqWRS5v2ia0D55lJHQqr5vLY0pJy4sSbcp
 0r7ZihMMEEO4o8Mu5ZjM8F1ZfEXPy0mWaHPoVxvb13sXgo17Q9m2U58hvjI72U0m
 nyB7fXhsjlnFSm8PN0zaTx6RRv8dxvyC42V2mPz6xciQcw==
MIC-Info: RSA-MD5,RSA,
 BVNiXNeTZzv5ChVt/OzLHOvgQ0XbSIW5GsUV/Da58fSVFcxc+OF2R6MMH3NxcWPu
 tlpZNMVi51vRzw0pLH2psg==

Date: Wed, 23 Mar 1994 14:41:00 -0800
Subject: ARTICLE - Two Updates Make for Digital Signatures in Email
From: Christopher Allen <consensus@netcom.com>
Reply-To: Christopher Allen <consensus@netcom.com>
Originator: Christopher Allen <consensus@netcom.com>
Organization: Consensus Development Corporation, San Francisco, CA USA
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
X-Sender: consens@netcom.com
X-Last-Updated: 1994/03/23
X-Text-Source:
ftp://netcom7.netcom.com/pub/consensus/text/Two_Updates_Dig_Sig.txt
X-HTML-Source:
ftp://netcom7.netcom.com/pub/consensus/www/Two_Updates_Dig_Sig.html
Summary: This article is about two recent software updates, RIPEM 1.2 and
  RSAREF 2.0, which are significanct to the progress of using digital
  signatures in electronic mail.
Keywords: article, christopher allen, consensus development, ripem,
  ripem/sig, rsaref, digital, signature, electronic, mail, email,
  security, privacy, privacy enhanced mail, pem, export, decryption
  encryption, cryptography, authentication, rsa data security, pgp,
  pretty good privacy, software, license, patent


TWO UPDATES MAKE FOR DIGITAL SIGNATURES IN EMAIL
================================================
by Christopher Allen <consensus@netcom.com>
Copyright (c)1994 by Consensus Development Corporation--All Rights
Reserved. See the end of this article for the full copyright notice.


DIGITAL SIGNATURES
- ------------------
One of the real up-and-coming uses of encryption technology is for
applying digital ``signatures'' to various electronic documents. Such
signatures are not forgeable and guarantee that a document originates
with its author. If Dartmouth College had such a system in place
recently, a message impersonating a faculty member announcing the
cancellation of an exam might have been avoided. Digital signatures can
also be used to detect viruses before infected files execute.

Up to now, however, digitally signing documents has not been an easy
task. The first hurdle has been an inability to export the technology
overseas, making it virtually impossible to standardize on a signature
method. Secondly, it has been difficult to license the technology
patents involved.

The use of a freeware software utility called Pretty Good Privacy (PGP)
has caused some difficulties as well. Since PGP has already found its
way overseas and has gained some popularity, in particular because US
digital signature software has not been easily exportable. In the United
States, many organizations are reluctant to use PGP because of its
questionable patent status. In addition, its author, Phil Zimmermann, is
under investigation for possible export violations. These problems have
kept organizations from adopting PGP as a standard.

Two recent announcements have significantly changed things.

The first announcement is the release of two new versions of RIPEM, one
called RIPEM, the other called RIPEM/SIG. RIPEM is a free version of the
Internet Privacy Enhanced Mail (PEM) standard implemented by Mark
Riordan of Michigan State University. RIPEM/SIG is a subset of RIPEM
that allows users to digitally sign their e-mail documents but does not
allow encryption or decryption.

What is significant about this announcement is that Riordan--in
cooperation with RSA Data Security, Inc--has received a ``commodities
jurisdiction'' ruling which allows free and legal export of
non-encrypting RIPEM/SIG outside of the US. This means both US and
overseas users can now standardize on a single set of software, instead
of only working with RIPEM inside the US and PGP outside.

This release also addresses some of the complaints of PGP users: both
RIPEM and RIPEM/SIG support a non-hierarchical trust model similar to
PGP, and for US users the non-exportable version of RIPEM provides full
triple-DES privacy. Even though the triple-DES RIPEM may not be
exportable, Riordan is working with authors of independently developed
PEM applications in other countries with the goal of 100%
interoperability in a version 2.0 of RIPEM. Until that time, since
RIPEM/SIG is free and exportable, users could send a non-US or Canadian
user both RIPEM/SIG and the message to be authenticated.

The second announcement is from RSA Data Security, Inc. for the 2.0
version of RSAREF. RSAREF is a source code cryptographic toolkit
designed specifically for writing PEM applications as well other
fundamental cryptographic and digital signature tools. In fact,
RIPEM is based on the RSAREF source code.

What is most significant about this new RSAREF is that RSA Data Security
has changed its license to make RSAREF much more accessible to both
corporations and commercial and non-commercial developers. Freeware
products (i.e., software where no fee other than media or bandwidth cost
is requested) can use the RSAREF toolkit provided that the public has
access to the product's source code.

Though a new license agreement has not been finalized, I've been told by
RSA that they will grant a royalty-free license for shareware products
for up to $10,000 worth of gross annual sales if the shareware source
code is available and the developers do not charge more than $50 a
copy.

Even if you are a commercial developer, I know from personal experience
that RSA can be quite reasonable about licensing. They want this base
level of technology adopted as widely as possible--just make RSA a
reasonable offer and I think they'll take it.

RIPEM and RIPEM/SIG are also beneficiaries of this new RSAREF license,
which means that US companies can have privacy and authentication free
of hassles from patent holders and export cops.


MORE ON RIPEM/SIG
- -----------------
The press release on RIPEM/SIG from Mark Riordan <mrr@scss3.cl.msu.edu>
is at:

        ftp://ripem.msu.edu/pub/crypt/ripem/ripemsig/posting

If you are a US or Canadian citizen, you can request an account for
access to the full non-exportable RIPEM. Information on how to get
access is at:

        ftp://guest.mu5k2d55:@ripem.msu.edu//pub/crypt/GETTING_ACCESS

The binary files for the exportable RIPEM/SIG can be found in the
directory:

        ftp://ripem.msu.edu/pub/crypt/ripem/ripemsig/binaries/

RSAREF/SIG Files available today are:

        ftp://ripem.msu.edu/pub/crypt/ripem/ripemsig/binaries/
        ripemsig-68030-macintosh-commandline-1.2a.sit.hqx

        ftp://ripem.msu.edu/pub/crypt/ripem/ripemsig/binaries/
        ripemsig-80x86-dos-vanilla-1.2a.exe

        ftp://ripem.msu.edu/pub/crypt/ripem/ripemsig/binaries/
        ripemsig-hppa-hpux9.01-1.2a

        ftp://ripem.msu.edu/pub/crypt/ripem/ripemsig/binaries/
        ripemsig-ibm-rs6000-aix3.2-1.2a

        ftp://ripem.msu.edu/pub/crypt/ripem/ripemsig/binaries/
        ripemsig-sparc-sunos4.1.1-1.2a

There does not seem to be separate documentation for RIPEM/SIG yet, so
I guess you have to use the documentation for RIPEM 1.2a:

        ftp://ripem.msu.edu/pub/crypt/ripem/ripem.man
        ftp://ripem.msu.edu/pub/crypt/ripem/ripemusr.doc
        ftp://ripem.msu.edu/pub/crypt/ripem/ripemusr.txt

A current list of RIPEM public keys is at:

        ftp://ripem.msu.edu/pub/crypt/ripem/pubkeys.txt

There is an electronic-mail users group list PEM-DEV for discussions
related to the development and deployment of Privacy Enhanced Mail (PEM)
systems. Contributions to the list should be sent to
``pem-dev@tis.com''. Administrivia, e.g., additions to or deletions from
the list should be sent to ``pem-dev-request@tis.com''.

The Internet Multicasting Service <carl@radio.com> is now beginning to
stamp all of their text files with RSA/RIPEM digital signatures.  You
can find their public key through a finger request to town.hall.org. For
examples of stamped files, look at:

    ftp://town.hall.org/edgar/docs/


MORE ON RSAREF 2.0
- ------------------
Remember, even though you can use RSAREF to create exportable,
non-encryption based digital signature software, the source code to
RSAREF is not exportable itself, as it can do encryption. It is only
available to US and Canadian citizens.

The press release on RSAREF from Jim Bidzos <jim@chirality.rsa.com> is
at:

        ftp://rsa.com//pub/RIPEM_SIG_announce.txt

Information on what RSAREF is all about and what are the license terms
are located at:

        ftp://rsa.com/rsaref/info.reply
        ftp://rsa.com/rsaref/license.txt

To get access to a time dependent directory (it changes every few
minutes) you will need to read the document:

        ftp://rsa.com/rsaref/README

If you agree to it's terms, take the directory mentioned there and
substitute it for the checksum in the directory ``U.S.-only 7c04e6''.

The compressed tar archive of RSAREF is at (remember to change the time
dependent directory!):

        ftp://rsa.com/rsaref/dist/U.S.-only-7c04e6/rsaref.tar.Z

The ZIP archive of RSAREF is at (remember to change the time dependent
directory!):

        ftp://rsa.com/rsaref/dist/U.S.-only-7c04e6/rsaref.zip

You can also get the RSAREF via email by reading the RSAREF license
agreement and sending the following message to
<rsaref-administrator@rsa.com> (If your electronic mail address is
located in Canada, please also send RSA your full name and mailing
address; they'll need it to complete a Department of State export
declaration):

     I acknowledge that I have read the RSAREF Program License
     Agreement and understand and agree to be bound by its terms and
     conditions, including without limitation its restrictions on
     foreign reshipment of the Program and information related to the
     Program. The electronic mail address to which I am requesting
     that the program be transmitted is located in the United States
     of America or Canada and I am an United States citizen, a Canadian
     citizen, or a permanent resident of the United States. The RSAREF
     Program License Agreement is the complete and exclusive agreement
     between RSA Laboratories and me relating to the Program, and
     supersedes any proposal or prior agreement, oral or written, and
     any other communications between RSA Laboratories and me relating
     to the Program.

RSA Laboratories maintains an electronic-mail users group
<rsaref-users@rsa.com> for discussions on RSAREF applications, bug
fixes, etc. To join the users group, send electronic mail to
<rsaref-users-request@rsa.com>.


AUTHOR'S BIOGRAPHY
- ------------------
Christopher Allen is president of Consensus Development Corporation, a
microcomputer software development & consulting firm specializing in
groupware (defined as software to support collaboration and intentional
group processes), including such related areas as hypertext, online
documentation, document architecture, electronic publishing, group
knowledge-base support tools, and creation and management of shared
collaborative spaces.

Christopher has been active in a number of other computer industry areas.
He runs the Mac Developers Forum and Newton Development SIG on America
Online, and a Mosaic/World-Wide-Web area on groupware and collaboration.
Christopher has written for a number of industry books and publications,
including MacWorld and the Macintosh Bible. He has been moderator and
speaker at MacWorld Expo's and Mactivity's groupware sessions, and
speaks as a panelist on the subject of Macintosh groupware at other
industry conferences. He was chairman of MacHack '93, a conference for
Macintosh programming gurus, is on the MacHack Planning Board, and is a
senior associate at the Foresight Institute.


COPYRIGHT NOTICE
- ----------------
This article was written by Christopher Allen <consensus@netcom.com> and
is Copyright (c)1994 by Consensus Development Corporation--All Rights
Reserved.

This article, in whole or in part, may be used and shared in accordance
the fair-use provisions of international copyright law:

        You may print or reproduce this article for non-commercial,
        personal, or educational purposes only, provided that the
        article is not modified, and that the copyright notice and
        this notice appear in all copies;

        You may quote, mention, cite, refer to, point, or describe this
        article in books, products, online services, or other media--
        but you may not reproduce in whole or in part without
        permission.

In addition, Consensus Development Corporation grants you permission to
redistribute this article in electronic form, provided that you first
notify Consensus Development and that you receive no fees, in excess of
of normal online charges, for access to this article.

Archiving, redistribution, republication, or derivation of this article
on other terms, in any medium, including but not limited to electronic,
CD-ROM, database, or publication in print, requires the explicit
written or digitally signed consent from Consensus Development
Corporation.

These requirements are not meant to be restrictive--we are quite willing
to make our articles available even for commercial use, provided that
permission is requested.

If you have any questions about these terms, or would like information
about licensing rights from Consensus Development Corporation, please
contact us via telephone 415/647-6383, or email Christopher Allen
<consensus@netcom.com>.

- ------------------------------------------------------------------------
..Christopher Allen                  Consensus Development Corporation..
..<consensus@netcom.com>                         4104-24th Street #419..
..                                        San Francisco, CA 94114-3615..
..                                        o415/647-6383  f415/647-6384..
..Mosaic/World-Wide-Web Front Door:                                   ..
..ftp://netcom7.netcom.com/pub/consensus/www/ConsensusFrontDoor.html  ..
-----END PRIVACY-ENHANCED MESSAGE-----
Created with RIPEM Mac 0.8.5 b2








Thread