[44226] in Cypherpunks
Re: Netscape gives in to key escrow
daemon@ATHENA.MIT.EDU (Ray Cromwell)
Thu Nov 30 04:21:49 1995
From: Ray Cromwell <rjc@clark.net>
To: tcmay@got.net (Timothy C. May)
Date: Thu, 30 Nov 1995 04:18:29 -0500 (EST)
Cc: sameer@c2.org, cypherpunks@toad.com
In-Reply-To: <ace2ae070a021004a5e9@[205.199.118.202]> from "Timothy C. May" at Nov 30, 95 02:07:33 am
What's the point? Surely Clark must realize that even if Netscape
adds key escrow to SSL/Secure Courier, it is still possible to tunnel
real encryption through that link thus thwarting the escrow system.
In fact, this is the perfect job for Java:
1) Client connects to server thru insecure key-escrow channel and downloads
Java applet
2) Java applet opens new connection to server using "invincible" security
as Clark puts it, and performs add transactions on this channel. In fact,
in the future, a large number of "forms" will be Java applets which
submit information back to the server themselves.
And what about IPSEC ESP? Even if the application layer is weak,
the link layer can more than make up for it.
Now, Netscape has momentum, and if they set a key-escrow standard, there
is a chance of it being adopted widely. However, Java applets and IPSEC
can still make transactions through an insecure netscape payment/encryption
channel.
The genie is out of the bottle.
-Ray
