5 December 1999
To: Tom Weinstein <tomw@geocast.com>
From: Vin McLellan <vin@shore.net>
Subject: Navigator, IE & RSApck-based SSL
Cc: openssl-users@openssl.org, cypherpunks@algebra.com
Date: Fri, 3 Dec 1999 15:56:46 -0500
Nicolas Roumiantzeff <nicolasr@esker.fr> asked:
>> Does anybody know why both IE and Netscape browser implement
>>exclusively RSA certificates?
>>
>> My feeling is that Microsoft and Netscape both made a deal with
RSA
>> Security to get a "low" price RSA license at the condition of not
>> implementing DSA.
Tom Weinstein <tomw@geocast.com>, Netscape cryptographer in a previous life, replied:
>As a matter of fact, Netscape does support DSA certs, but I never had
a
>chance to implement DH key exchanges. The only reason I didn't
implement
>it was lack of time. Every time we did schedules, I'd put it on
the list; every
>time, it would get knocked off the bottom by something else. The
bottom line
>is that there were no customers busting down our doors screaming that
they
>needed DH, so we didn't do it.
Maybe you could also comment on the original choice of RSApkc for key exchange in the original SSL ciphersuite, Tom? Paul? There are a lot of conspiratorial stories (Can you believe that?!) which circulate about RSADSI's nefarious Imperial schemes to rule the world, and how Netscape and SSL were Jim Bidzos' bloody sword and shield;-)
My recollection is that a startup like Netscape in 1993, '94, or even '95, would have been foolish to go with anything other than RSApkc for key exchange. Do you agree?
People forget how different the cryptographic landscape looked then -- and how much of the environment for such a choice was shaped by the huge background struggle between the crypto vendors and corporate OEMs, on one hand, and the American NSA, which had a full-court campaign underway block the widespread adoption of RSApkc and other un-GAKed crypto.
As I recall, when the Netscape team was designing SSL, the NSA-designed DSA was still the subject of considerable controversy, some suspicion, and a great deal of market confusion. The El Gamal signature option for D-H was then little known, and whether Stanford's D-H patents covered El Gamal (a Cylink contention, then and later) was still a subject of heated debate.
Since both RSApkc and D-H/XX were patented, of course, so neither offered a ready escape from crypto IP and royalties demands.
[NSA was full-bore into its campaign to block the widespread adoption of RSApkc. The NSA envisioned that its own PKI -- with its own KEA algorithm for key agreement; DSA for digital sigs; and Skipjack for symmetric crypt0 (all packaged in Capstone-based GAKed Fortezza) -- would preempt PKI demand in both the government market and the private sector. US federal volume purchasing was expected to define or redefine the PKI market.]
[I've often thought that if the NSA had not so misjudged the potential of WWW, Netscape, smartcards, and e-commerce (not to mention that spook bureaucrats were painfully inept at marketing and forgetful of such industrial-grade basics like field support, for all their power and influence within the D.C. beltway) -- many more of us Yanks would be carrying Fortezza PCMCIA cards today. Over the past 15 years, the NSA has several times been right at the brink of getting control over US private sector crypto and even private-sector network security en toto. The curious might research the furor around Reagan's NSDD-145 proclamation some time;-]
RSApkc was anathema to the Mandarin spooks of the NSA, largely because RSApkc integrates encryption and digital signature capabilities -- so the NSA could not restrict encryption, per se, while permitting the free distribution of PKC-based authentication and integrity services. For damn near a decade, RSADSI fought a bitter guerrilla war against the federal effort to standardize the NSA-funded DSA, and channel the American PKI market into the NSA's D-H-like KEA and Fortezza.
[In one notable strategic ploy -- the source of many of those conspiratorial rumors, perhaps -- RSADSI got control of the German Schoor patents on digital signature techniques. In the crypto politics of the day, the Schoor patents offered just enough of a timely patent-infringement threat to the DSS to help many big American OEMs and financial services firms to resist pressure from the NSA to switch from the RSA technology, which many had already invested in, to the DSS and the NSA's Fortezza infrastructure.]
When Netscape trio was working on v.1 of SSL, of course, RSADSI and Cylink (which controlled the Stanford patents, including Diffie-Hellman) were still in an uneasy alliance for joint licensing. Even if Netscape was making its SSL design choice a couple of years later, after the Public Key Partnership broke up, I suspect the marketing strategies of RSADSI and Cylink -- respective banner-bearers for the two leading PKC schemes -- would have still left Netscape with a clear choice.
While RSADSI bet on software crypto and was widely promoting its BSAFE developers' toolkit, Cylink had instead focused on hardware crypto and the government market. One type of expertise scaled into the zeitgeist Netscape dreamed of for SSL. The other did not. (Which is not to even mention the relative efficiency of RSApkc for key or cert verification.)
For MS, when it sometime later turned on a proverbial dime to focus on the Net and Netscape, it was probably an even easier decision to stay with RSApkc and not load IE with D-H_DSS or alternatives. Redmond had already purchased full rights to use RSApkc and the sundry RC ciphers, and MS wanted the early IE to look just like Netscape's Navigator/Communicator ;-).
RSADSI's management also recognized the potential of the Web early, and more clearly than many others. RSADSI, which was then still a hungry, small, $10M/yr. crypto lab and and IP licensing firm -- not known for passing up cash on the table -- offered Netscape full no-royalty access to its public key and symmetric crypto in exchange for one percent of Netscape's equity. (I think RSADSI also bet on SSL's then-strong competitor, S-HTTP, with a major investment in Terisa, now part of Spyrus.)
For a startup like Netscape, I presume the no-cash offer was attractive, maybe even irresistable... even if all the other factors had not lined up to tilt the SSL design team toward RSApkc. This is all off the top of my head, but I think it is relatively accurate. Comments and corrections from those directly involved in these events, or anyone else, would be very welcome.
Surete,
_Vin
____________________________________________________
OpenSSL
Project
http://www.openssl.org
User Support Mailing
List
openssl-users@openssl.org
Automated List
Manager
majordomo@openssl.org
Date: Fri, 03 Dec 1999 14:25:25 -0800
From: Tom Weinstein <tomw@geocast.com>
Organization: Geocast Network Systems
To: Vin McLellan <vin@shore.net>
CC: openssl-users@openssl.org, cypherpunks@algebra.com
Subject: Re: Navigator, IE & RSApck-based SSL
Vin McLellan wrote:
> Tom Weinstein
<tomw@geocast.com>, Netscape cryptographer in a
> previous life, replied:
>
>> As a matter of fact, Netscape does support DSA certs, but I never
had a
>>chance to implement DH key exchanges. The only reason I didn't
>> implement it was lackof time. Every time we did schedules,
I'd put it on the
>> list; every time, it would get knocked off the bottom by something
else.
>>The bottom line is thatthere were no customers busting down our doors
>>screaming that they needed DH, so we didn't do it.
>
> Maybe you could also
comment on the original choice of RSApkc for
> key exchange in the original SSL ciphersuite, Tom? Paul? There
are a lot of
> conspiratorial stories (Can you believe that?!) which circulate
about
> RSADSI's nefarious Imperial schemes to rule the world, and how Netscape
> and SSL were Jim Bidzos' bloody sword and shield;-)
>
> My recollection is that
a startup like Netscape in 1993, '94, or
> even '95, would have been foolish to go with anything other than RSApkc
for
> key exchange. Do you agree?
I wasn't at Netscape at the time that SSL 1.0 and 2.0 were written, so my information for that period is not eyewitness testimony. Be warned. :-)
I think there were two major factors that motivated the choice of RSA. First BSAFE was existing code that could just be used. In a startup, it's very important that you not waste time reinventing wheels that you can buy off the shelf. Finally, the most popular piece of crypto software at the time was PGP, which also used RSA.
--
What is appropriate for the master is not appropriate| Tom Weinstein
for the novice. You must understand Tao
before | tomw@geocast.com
transcending structure. -- The Tao of Programming |
From: Sameer Parekh <sameer@bpm.ai>
Subject: Re: Navigator, IE & RSApck-based SSL
To: openssl-users@openssl.org
Date: Fri, 3 Dec 1999 15:19:56 -0800 (PST)
Cc: vin@shore.net, openssl-users@openssl.org, pkocher@cryptography.com,
cypherpunks@algebra.com
> I think there were two major factors that motivated the choice of
RSA. First
> BSAFE was existing code that could just be used. In a startup,
it's very
> important that you not waste time reinventing wheels that you can buy
off
> the shelf. Finally, the most popular piece of crypto software
at the time was
> PGP, which also used RSA.
I share Tom's opinion that the decision at Netscape was not nearly as complex as Vin alludes to. I doubt there was a "conspiracy" but simple issues such as PGP, the existence of BSAFE, and perhaps an existing friendly relationship between Netscape and RSA senior management affected the decision much more than complex security policy concerns involving the NSA.
--
sameer
From: EKR <ekr@rtfm.com>
To: openssl-users@openssl.org
Cc: Tom Weinstein <tomw@geocast.com>, pkocher@cryptography.com,
cypherpunks@algebra.com
Subject: Re: Navigator, IE & RSApck-based SSL
Date: 03 Dec 1999 16:37:17 -0800
Vin McLellan <vin@shore.net> writes:
> Maybe you could also
comment on the original choice of RSApkc for
> key exchange in the original SSL ciphersuite, Tom? Paul? There
are a lot of
> conspiratorial stories (Can you believe that?!) which circulate
about
> RSADSI's nefarious Imperial schemes to rule the world, and how Netscape
and
> SSL were Jim Bidzos' bloody sword and shield;-)
I'm not Tom or Paul, but as one of the S-HTTP designers and someone who saw very early SSL specs, I'll put in my $.02.
At the time (94-95) getting DH was no easier than getting RSA due to the existence of PKP. Moreover, it was pretty clear that RSA was the popular choice: There were certificate formats (X.509) and an email format (PEM) based on it. From our perspective the DH/DSS situation was much less evolved. In point of fact, a very early draft of S-HTTP contained DH support, which was removed after Burt Kaliski pointed out to us that it was underspecified.
Moreover, RSA/PKP was very unwilling to grant a patent license, preferring to sell you BSAFE and TIPEM, which were very biased towards RSA. The DSS support was nonexistent and the DH support (at least through BSAFE 3.0) was terrible. (In point of fact, despite the fact that BSAFE includes DH, when I added the the DH/DSS ciphersuites to Terisa's product, I wrote the code myself rather than using BSAFE's).
1998 seemed impossibly far away at the time and so it didn't even occur to us to worry about the DH patent expiring. This would not have been a convincing reason not to use RSA.
-Ekr
P.S. SSLv1 and v2 were not designed by Kocher et al. They were designed by Kipp Hickman (also a Netscape employee) in the fall of 1994.
--
[Eric Rescorla ekr@rtfm.com]
To: Tom Weinstein <tomw@geocast.com>
From: Vin McLellan <vin@shore.net>
Cc: openssl-users@openssl.org, pkocher@cryptography.com,
cypherpunks@algebra.com
Date: Fri, 3 Dec 1999 22:06:09 -0500
Subject: Re: Navigator, IE & RSApck-based SSL
According to a well-informed government source, Vin McLellan wrote:
>> Maybe you could
also comment on the original choice of RSApkc for
>> key exchange in the original SSL ciphersuite, Tom? Paul? There
are a lot of
>> conspiratorial stories (Can you believe that?!) which circulate
about
>> RSADSI's nefarious Imperial schemes to rule the world, and how Netscape
>> and SSL were Jim Bidzos' bloody sword and shield;-)
>>
>> My recollection
is that a startup like Netscape in 1993, '94, or
>> even '95, would have been foolish to go with anything other than
RSApkc
>> for key exchange. Do you agree?
Tom Weinstein <tomw@geocast.com> graciously replied:
>I wasn't at Netscape at the time that SSL 1.0 and 2.0 were written, so
my
>information for that period is not eyewitness testimony. Be warned.
:-)
>
>I think there were two major factors that motivated the choice of RSA.
First
>BSAFE was existing code that could just be used. In a startup,
it's very
>important that you not waste time reinventing wheels that you can buy
off the
>shelf. Finally, the most popular piece of crypto software at the
time was PGP,
>which also used RSA.
Thanks. I should have mentioned PGP and PEM, of course! Probably X509 and Rivest's MailSafe (to which PGP showed a remarkable resemblence;-) too.
I also don't disagree with Eric Rescorla or Sameer Parekh, two savvy developers who stressed the importance of RSA's BSAFE toolkit, with its inevitable biases.
I was only rambling about the broader politech context as a way of explaining why DH with DSS (what many younger people today suggest was the obvious alternative PKC for SSL) was not then, or for several years later, seen as a viable choice -- even if some prescient soul saw fit to factor the 1997 DH patent expiration into the design decision.
The fact that DH -- and Fortezza's KEA, whose shadow then should not be underestimated -- needed a royalty-free DSS was a major factor in the way a lot of American OEMs evaluated their options for PKI and PKC-enabled apps and products in 1994-1995.
My humble apologies (and grateful thanks also) to Kipp Hickman -- the Netscape crypto engineer who designed SSL v.1 and v.2 -- whose name I should have mentioned.
_Vin
Date: Fri, 03 Dec 1999 20:46:38 -0800
From: Paul Kocher <paul@cryptography.com>
To: EKR <ekr@rtfm.com>, openssl-users@openssl.org
Cc: Tom Weinstein <tomw@geocast.com>, paul@cryptography.com,
cypherpunks@algebra.com
Subject: Re: Navigator, IE & RSApck-based SSL
Vin McLellan <vin@shore.net> writes:
> > Maybe you could
also comment on the original choice of RSApkc for
> > key exchange in the original SSL ciphersuite, Tom? Paul?
There are a
> > lot of conspiratorial stories (Can you believe that?!) which
circulate about
> > RSADSI's nefarious Imperial schemes to rule the world, and how
Netscape
> > and SSL were Jim Bidzos' bloody sword and shield;-)
At 04:37 PM 12/3/99 -0800, EKR wrote:
>I'm not Tom or Paul, but as one of the S-HTTP designers and someone who
>saw very early SSL specs, I'll put in my $.02.
>
>At the time (94-95) getting DH was no easier than getting RSA due
>to the existence of PKP. Moreover, it was pretty clear that
>RSA was the popular choice: There were certificate formats (X.509)
>and an email format (PEM) based on it. From our perspective the
>DH/DSS situation was much less evolved. In point of fact, a very
>early draft of S-HTTP contained DH support, which was removed
>after Burt Kaliski pointed out to us that it was underspecified.
>
>Moreover, RSA/PKP was very unwilling to grant a patent
>license, preferring to sell you BSAFE and TIPEM, which were
>very biased towards RSA. The DSS support was nonexistent
>and the DH support (at least through BSAFE 3.0) was terrible.
>(In point of fact, despite the fact that BSAFE includes DH,
>when I added the the DH/DSS ciphersuites to Terisa's product,
>I wrote the code myself rather than using BSAFE's).
>
>1998 seemed impossibly far away at the time and so it didn't
>even occur to us to worry about the DH patent expiring. This
>would not have been a convincing reason not to use RSA.
>
>-Ekr
>
>P.S. SSLv1 and v2 were not designed by Kocher et al. They were
>designed by Kipp Hickman (also a Netscape employee) in the
>fall of 1994.
This pretty much matches my take. Although I wasn't involved with SSL 2, the choice of RSA makes sense even ignoring the licensing issues -- people trust the RSA algorithm, while DSA was relatively new and was the subject trustworthiness/patent status concerns. The main purpose of SSL was to help people to trust the web with personal data like credit card numbers, so perceptions did matter. Also, Verisign only supported RSA (no coincidence, since they were spun-off from RSA).
On the SSL 3.0 design, Phil, Alan, and I had pretty much complete freedom to do whatever made sense, except that we had to support Fortezza and weak crypto (which none of us were enthusiastic about). We did what we could -- for example, each party uses a different 40-bit key to squeeze an extra bit of effective security, strong authentication is used no matter what algorithm is selected, etc. For the benefit of non-web uses and standards bodies we added the non-RSA options, but never expected it to gain much use on the web.
- Paul
_________________________________________________________________
Paul Kocher
Cryptography Research, Inc.
Tel: 415.397.0123 (fax: -0127) 607 Market St., 5th Floor
E-mail: paul@cryptography.com San Francisco,
CA 94105
Date: Sat, 04 Dec 1999 10:32:27 -0800
To: Vin McLellan <vin@shore.net>
From: Steve Schear <schear@lvcm.com>
Subject: Re: Navigator, IE & RSApck-based SSL
Cc: cypherpunks@cyberpass.net
At 10:06 PM 12/3/99 -0500, you wrote:
> The fact that DH -- and Fortezza's
KEA, whose shadow then should not
>be underestimated -- needed a royalty-free DSS was a major factor in
the way
>a lot of American OEMs evaluated their options for PKI and PKC-enabled
apps
>and products in 1994-1995.
I was a manager at Cylink during this period. I can verify that Bob Fougner, PKP's attorney, was applying successful pressure against the Feds to prevent a license-free DSS.
--Steve