[470] in WWW Security List Archive

home help back first fref pref prev next nref lref last post

SSL Implementation

daemon@ATHENA.MIT.EDU (John Hemming - Chief Executive Mar)
Tue Feb 28 11:35:48 1995

From: John Hemming - Chief Executive MarketNet <johnhemming@mkn.co.uk>
Date: Tue, 28 Feb 95 12:43:33 -800
To: www-security@ns2.rutgers.edu
Reply-To: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu

At MarketNet we implemented SSL in our browser (version 0.00001 1/2 pre beta)
about a month ago.

There are a number of issues for people who do not live in
the US.

1.   SSLREF is not available for Non-US Citizens
2.   RSAREF is not exportable
3.   The Netscape client only accepts certificates signed
     by a limited number of authorities (RSA, Netscape and
     I think MCI).
4.   Terisa have export constraints as well.

To implement SSL you need:

1.   ASN.1 encoding and decoding - not difficult
2.   MD5 routine (available in public domain)
3.   RC4 routine (also available in public domain even though
     the US government does not want it exported.)
4.   Big number routines to do the x ** y mod z calculations.
     RSAREF is also not exportable (although it is available
     in many places)  These are not that difficult, but
     need work to make them run in an adequate time.

You will then encounter a problem in that the Netscape Client
only supports certs signed by RSA etc.  This, however, is
being considered by Netscape.

Our Client is not very clever (at the moment), but it does
not currently authenticate the server which means that it allows
a secure conversation (trusting that you are talking to the
right server) which gets round the certification issue.

Generally we have found Netscape helpful in getting our 
implementation of SSL to work, but there are still a number
of commercial issues that need to be resolved before the
product can be available on a world wide basis.

In the UK mathematical forumulae cannot be patented which
I believe is the case in many other countries.  There is,
therefore, no constraint in those countries given code that
performs the optimised big number calculations.  

We are currently solving the big number problems by throwing
hardware at the solution and are working on better optimisations,
but if anyone has some commercially available big number routines
that we can obtain a licence for we would be grateful.  Twill
save me a few more days testing (already done most of the coding).

More info at http://mkn.co.uk/


home help back first fref pref prev next nref lref last post