RSA/NCSA/EIT announcement on secure MOSIAC [also see note at very end djf]

[David Farber <farber () central cis upenn edu>]

The following appeared on EIT's "What's New" page today.


============================================
For Immediate Release


Secure NCSA Mosaic Establishes Necessary Framework for Electronic
Commerce on the Internet


PALO ALTO, Calif., April 12, 1994 -- Enterprise Integration Technologies
(EIT), the National Center for Supercomputing Applications (NCSA) at the
University of Illinois and RSA Data Security today announced agreements to
jointly develop and distribute a secure version of NCSA Mosaic, the popular
point-and-click interface that enables easy access to thousands of
multimedia information services on the Internet.


The announcement was made in conjunction with the launch of CommerceNet, a
large-scale market trial of electronic commerce on the Internet. Under the
agreements, EIT will integrate its Secure-HTTP software with public key
cryptography from RSA into NCSA Mosaic Clients and World Wide Web (WWW)
servers. WWW is a general-purpose architecture for information retrieval
comprised
of thousands of computers and servers that is available to anyone on
Internet. The
enhancements will then be made available to NCSA for widespread public
distribution and commercial licensing.


Jay M. Tenenbaum, chief executive officer of EIT, believes secure NCSA Mosaic
will help unleash the commercial potential of the Internet by enabling
buyers and
sellers to meet spontaneously and transact business.


"While NCSA Mosaic makes it possible to browse multimedia catalogs, view product
videos, and fill out order forms, there is currently no commercially safe way to
consummate a sale," said Tenenbaum. "With public key cryptography, however, one
can authenticate the identity of trading partners so that access to
sensitive information
can be properly accounted for."


This secure version of NCSA Mosaic allows users to affix digital signatures
which
cannot be repudiated and time stamps to contracts so that they become
legally binding
and auditable. In addition, sensitive information such as credit card
numbers and bid
amounts can be securely exchanged under encryption. Together, these capabilities
provide the foundation for a broad range of financial services, including
the network
equivalents of credit and debit cards, letters of credit and checks. In
short, such secure
WWW software enables all users to safely transact day-to-day business involving
even their most valuable information on the Internet.


According to Joseph Hardin, director of the NCSA group that developed NCSA
Mosaic, over 50,000 copies of the interface software are being downloaded
monthly
from NCSA's public server -- with over 300,000 copies to date. Moreover, five
companies have signed license agreements with NCSA and announced plans to
release
commercial products based on NCSA Mosaic.


"This large and rapidly growing installed base represents a vast, untapped
marketplace," says Hardin. The availability of a secure version of NCSA Mosaic
establishes a valid framework for companies to immediately begin large-scale
commerce on the Internet."


Jim Bidzos, president of RSA, sees the agreement as the beginning of a new
era in
electronic commerce, where companies routinely transact business over public
networks.


"RSA is proud to provide the enabling public key software technology and
will make
it available on a royalty-free basis for inclusion in NCSA's public
distribution of
NCSA Mosaic," said Bidzos. RSA and EIT will work together to develop attractive
licensing programs for commercial use of public key technology in WWW servers."


At the CommerceNet launch, Allan M. Schiffman, chief technical officer of EIT,
demonstrated a working prototype of secure NCSA Mosaic, along with a companion
product that provides for a secure WWW server. The prototype was implemented
using RSA's TIPEM toolkit.


"In integrating public key cryptography into NCSA Mosaic, we took great pains to
hide the intricacies and preserve the simplicity and intuitive nature of NCSA
Mosaic," explained Schiffman.


Any user that is familiar with NCSA Mosaic should be able to understand and
use the
software's new security features. Immediately to the left of NCSA's familiar
spinning globe icon, a second icon has been inserted that is designed to
resemble a
piece of yellow paper. When a document is signed, a red seal appears at the
bottom of
the paper, which the user can click on to see the public key certificates
of the signer
and issuing agencies. When an arriving document is encrypted, the paper
folds into a
closed envelope, signifying that its information is hidden from prying
eyes. When the
user fills out a form containing sensitive information, there is a 'secure
send' button
that will encrypt it prior to transmission.


Distribution of Public Keys


To effectively employ public-key cryptography, an infrastructure must be
created to
certify and standardize the usage of public key certificates. CommerceNet
will certify
public keys on behalf of member companies, and will also authorize third
parties such
as banks, public agencies, industry consortia to issue keys. Such keys will
often serve
as credentials, for example, identifying someone as a customer of a bank, with a
guaranteed credit line. Significantly, all of the transactions involved in
doing routine
purchases from a catalog can be accomplished without requiring buyers to obtain
public keys. Using only the server's public key, the buyer can authenticate
the identity
of the seller, and transmit credit card information securely by encrypting
it under the
seller's public key. Because there are far fewer servers than clients,
public key
administration issues are greatly simplified.


Easy Access to Strong Security


To successfully combine simplicity of operation and key administration functions
with a high level of security that can be accessible to even
non-sophisticated users,
significant changes were necessary for existing WWW security protocols. EIT
developed a new protocol called Secure-HTTP for dealing with a full range of
modern cryptographic algorithms and systems in the Web.


Secure-HTTP enables incorporation of a variety of cryptographic standards,
including, but not limited to, RSA's PKCS-7, and Internet Privacy Enhanced Mail
(PEM), and supports maximal interoperation between clients and servers using
different cryptographic algorithms. Cryptosystem and signature system
interoperation is particularly useful between U.S. residents and non-U.S.
residents,
where the non-U.S. residents may have to use weaker 40-bit keys in
conjunction with
RSA's RC2 (TM) and RC4 (TM) variable keysize ciphers. EIT intends to publish
Secure-HTTP as an Internet standard, and work with others in the WWW community
to create a standard that will encourage using the Web for a wide variety of
commercial transactions.


Availability


EIT will make Secure NCSA Mosaic software available at no charge to
CommerceNet members in September and NCSA will incorporate these secure
features in future NCSA Mosaic releases.


Enterprise Integration Technologies Corp., of Palo Alto, Calif., (EIT) is
an R&D and
consulting organization, developing software and services that help companies do
business on the Internet. EIT is also project manager of CommerceNet.


The National Center for Supercomputer Applications (NCSA), developer of the
Mosaic hypermedia browser based at the University of Illinois in Champaign,
Ill., is
pursuing a wide variety of software projects aimed at making the Internet
more useful
and easier to use.


RSA Data Security, Inc., Redwood City, Calif., invented Public Key Cryptography
and performs basic research and development in the cryptographic sciences. RSA
markets software that facilitates the integration of their technology into
applications.


Information on Secure NCSA Mosaic can be obtained by sending e-mail to
shttp-info () eit com.


Press Contact:


Nancy Teater
Hamilton Communications
Phone:  (415) 321-0252
Fax:  (415) 327-4660
Internet: nrt () hamilton com






Email           brianh () East Sun COM
                PGP and RIPEM keys available on request.
Facsimile       +1 508 250 5070
Phone/Vmail     +1 508 442 0660




Posted-Date: Fri, 15 Apr 1994 00:52:05 -0400
To: brianh () suneast east sun com (Brian Hawthorne - SunSelect Strategic
    Marketing)
Cc: com-priv () psi com
Subject: Re: RSA/NCSA/EIT announcement
Date: Fri, 15 Apr 1994 11:38:12 +0900
From: David R Conrad <davidc () terminus iij ad jp>


> > Secure NCSA Mosaic Establishes Necessary Framework for Electronic
> > Commerce on the Internet
...


> > Secure-HTTP enables incorporation of a variety of cryptographic
> > standards, including, but not limited to, RSA's PKCS-7, and Internet
> > Privacy Enhanced Mail (PEM), and supports maximal interoperation
> > between clients and servers using different cryptographic algorithms.
> > Cryptosystem and signature system interoperation is particularly
> > useful between U.S. residents and non-U.S. residents, where the
> > non-U.S. residents may have to use weaker 40-bit keys in conjunction
...


Sigh.  I do hope the Japanese Ministry of International Trade and
Industry and their counterparts in other countries will send thank you
notes to the US State Department for making all these business
opportunities available to non-US companies.  It's a shame that it
comes at the expense of US companies who are barred from selling
reasonable cryptographic systems overseas.


"... use weaker 40-bit keys ..." for commerce transactions?


Right.


-drc