[470] in WWW Security List Archive
SSL Implementation
daemon@ATHENA.MIT.EDU (John Hemming - Chief Executive Mar)
Tue Feb 28 11:35:48 1995
From: John Hemming - Chief Executive MarketNet <johnhemming@mkn.co.uk>
Date: Tue, 28 Feb 95 12:43:33 -800
To: www-security@ns2.rutgers.edu
Reply-To: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
At MarketNet we implemented SSL in our browser (version 0.00001 1/2 pre beta)
about a month ago.
There are a number of issues for people who do not live in
the US.
1. SSLREF is not available for Non-US Citizens
2. RSAREF is not exportable
3. The Netscape client only accepts certificates signed
by a limited number of authorities (RSA, Netscape and
I think MCI).
4. Terisa have export constraints as well.
To implement SSL you need:
1. ASN.1 encoding and decoding - not difficult
2. MD5 routine (available in public domain)
3. RC4 routine (also available in public domain even though
the US government does not want it exported.)
4. Big number routines to do the x ** y mod z calculations.
RSAREF is also not exportable (although it is available
in many places) These are not that difficult, but
need work to make them run in an adequate time.
You will then encounter a problem in that the Netscape Client
only supports certs signed by RSA etc. This, however, is
being considered by Netscape.
Our Client is not very clever (at the moment), but it does
not currently authenticate the server which means that it allows
a secure conversation (trusting that you are talking to the
right server) which gets round the certification issue.
Generally we have found Netscape helpful in getting our
implementation of SSL to work, but there are still a number
of commercial issues that need to be resolved before the
product can be available on a world wide basis.
In the UK mathematical forumulae cannot be patented which
I believe is the case in many other countries. There is,
therefore, no constraint in those countries given code that
performs the optimised big number calculations.
We are currently solving the big number problems by throwing
hardware at the solution and are working on better optimisations,
but if anyone has some commercially available big number routines
that we can obtain a licence for we would be grateful. Twill
save me a few more days testing (already done most of the coding).
More info at http://mkn.co.uk/