1994-12-13 - the netscape/ssl controversy

Header Data

From: Avi Harris Baumstein <avi@clas.ufl.edu>
To: cypherpunks@toad.com
Message Hash: 618196f0e7dcf2de2dcb5847474c1ab0affee7ffd0261ab3b1cc32070071058b
Message ID: <199412131448.JAA07613@cutter.clas.ufl.edu>
Reply To: N/A
UTC Datetime: 1994-12-13 14:48:50 UTC
Raw Date: Tue, 13 Dec 94 06:48:50 PST

Raw message

From: Avi Harris Baumstein <avi@clas.ufl.edu>
Date: Tue, 13 Dec 94 06:48:50 PST
To: cypherpunks@toad.com
Subject: the netscape/ssl controversy
Message-ID: <199412131448.JAA07613@cutter.clas.ufl.edu>
MIME-Version: 1.0
Content-Type: text/plain


have to get my two cents in:

netscape has a proposal that secures the *transport* of files. pgp and
the like secure the actual files themselves. the question that will
have to be answered is "which method of security is more valuable to
the internet as a whole?"

of course i have made up my mind, but i'll waste some space and share
those thoughts here. 

i sit on a committee at the college of agriculture here at uf, where
we are discussing how to implement the web. many of these people come
from beauracratic and publishing (the college publishes lots)
backgrounds. they want control and accountability. they don't want
someone to download some chemical information, believing that it is
correct (as certified by the university), but in actuality that
information was forged. i (and a few others) brought up digital
signatures as a way of guaranteeing authenticity of documents. but
this would an awful pain to implement, simply because the products do
not support it.

ssl can not provide this.  ssl can guarantee that the document was not
modified from the server it originated from until i got it. but who is
to say that the server i got it from was the authoritative server?

that's merely one example of where ssl provides no added benefit, but
other encryption technologies do. 

so what is a better solution?

i would choose a mime multipart using pgp or some other cryptographic
method. if integrated into the web client, it could be just as
seamless to the user, but now instead of encrypting the link between
two computers, it encrypts (or signs) the document itself, since
that's what i'm really interested in anyway (is the document). i could
care little about the link - and that's the premise of the internet,
that the link is unimportant as long as it works. 

so while ssl may well be a wonderful protocol, it does not address the
problems that many cypherpunks see as being real. i think it would do
netscape good to listen to and consider the views of many on this
list, as they have many genuinely good ideas, even if they choose a
confrontational manner. 

-avi






Thread