IP: Navigator, IE, & RSApkc-based SSL

[Dave Farber <farber () cis upenn edu>]

> To: Dave Farber <farber () cis upenn edu>
> From: Vin McLellan <vin () shore net>
>
> [A bit of  SSL/TLS history that may be of interest to IP.  Regards,  _Vin]
>
> ----------------------------
>
> To: Tom Weinstein <tomw () geocast com>
> From: Vin McLellan <vin () shore net>
> Subject: Navigator, IE & RSApck-based SSL
> Cc: openssl-users () openssl org,  cypherpunks () algebra com
> Date: Fri, 3 Dec 1999 15:56:46 -0500
> Sender: owner-openssl-users () openssl org
>
>
>        Nicolas Roumiantzeff <nicolasr () esker fr> asked:
>
> > > Does anybody know why both IE and Netscape browser implement
> > > exclusively  RSA certificates?
> > >
> > > My feeling is that Microsoft and Netscape both made a deal with RSA
> > > Security to get a "low" price RSA license at the condition of not
> > > implementing DSA.
>
>         Tom Weinstein <tomw () geocast com>,  Netscape cryptographer in a
> previous life, replied:
>
> > As a matter of fact, Netscape does support DSA certs, but I never had a
> > chance to implement DH key exchanges.  The only reason I didn't implement
> > it was lack of time.  Every time we did schedules, I'd put it on the list;
> every
> > time, it would get knocked off the bottom by something else.  The bottom 
> line
> > is that there were no customers busting down our doors screaming that they
> > needed DH, so we didn't do it.
>
>         Maybe you could also comment on the original choice of RSApkc for
> key exchange in the original SSL ciphersuite, Tom?  Paul? There are a lot of
> conspiratorial stories  (Can you believe that?!) which circulate about
> RSADSI's nefarious Imperial schemes to rule the world, and how Netscape and
> SSL were Jim Bidzos' bloody sword and shield;-)
>
>         My recollection is that a startup like Netscape in 1993, '94, or
> even '95, would have been foolish to go with anything other than RSApkc for
> key exchange.  Do you agree?
>
>         People forget how different the cryptographic landscape looked then
> -- and how much of the environment for such a choice was shaped by the huge
> background struggle between the crypto vendors and corporate OEMs, on one
> hand, and the American NSA, which had a full-court campaign underway block
> the widespread adoption of  RSApkc and other un-GAKed crypto.
>
>         As I recall, when the Netscape team was designing SSL, the
> NSA-designed DSA was  still the subject of considerable controversy, some
> suspicion, and a great deal of market confusion.  The El Gamal signature
> option for D-H was then little known, and whether Stanford's D-H patents
> covered El Gamal (a Cylink contention, then and later) was still a subject
> of heated debate.
>
>         Since both RSApkc and D-H/XX were patented, of course, so neither
> offered a ready escape from crypto IP and royalties demands.
>
>         [NSA was full-bore into its campaign to block the widespread
> adoption of RSApkc.   The NSA envisioned that its own PKI -- with its own
> KEA algorithm for key agreement; DSA for digital sigs; and Skipjack for
> symmetric crypt0 (all packaged in Capstone-based GAKed Fortezza) -- would
> preempt PKI demand in both the government market and the private sector.  US
> federal volume purchasing was expected to define or redefine the PKI market.]
>
>         [I've often thought that if the NSA had not so misjudged the
> potential of WWW, Netscape, smartcards, and e-commerce (not to mention that
> spook bureaucrats were painfully inept at marketing and forgetful of such
> industrial-grade basics like field support, for all their power and
> influence within the D.C. beltway) -- many more of us Yanks would be
> carrying Fortezza PCMCIA cards today.  Over the past 15 years, the NSA has
> several times been right at the brink of getting control over US private
> sector crypto and even private-sector network security en toto.  The curious
> might research the furor around Reagan's NSDD-145 proclamation some time;-]
>
>         RSApkc was anathama to the Mandarin spooks of the NSA,  largely
> because RSApkc integrates encryption and digital signature capabilities --
> so the NSA could not  restrict encryption, per se, while permitting the free
> distribution of PKC-based authentication and integrity services.  For damn
> near a decade, RSADSI fought a bitter guerrilla war against the federal
> effort to standardize the NSA-funded  DSA, and channel the American PKI
> market into the NSA's D-H-like KEA and Fortezza.
>
>         [In one notable strategic ploy -- the source of many of those
> conspiratorial rumors, perhaps -- RSADSI got control of the German Schoor
> patents on digital signature techniques.  In the crypto politics of the day,
> the Schoor patents offered just enough of a timely patent-infringement
> threat to the DSS to help many big  American OEMs and financial services
> firms to resist pressure from the NSA to switch from the RSA technology,
> which many had already invested in, to the DSS and the NSA's Fortezza
> infrastructure.]
>
>         When Netscape trio was working on v.1 of SSL, of course, RSADSI and
> Cylink (which controlled the Stanford patents, including Diffie-Hellman)
> were still in an uneasy alliance for joint licensing.  Even if Netscape was
> making its SSL design choice a couple of years later, after the Public Key
> Partnership broke up, I suspect the marketing strategies of RSADSI and
> Cylink  -- respective banner-bearers for the two leading PKC schemes --
> would have still left Netscape with a clear choice.
>
>         While RSADSI  bet on software crypto and was widely promoting its
> BSAFE developers' toolkit, Cylink had instead focused on hardware crypto and
> the government market.  One type of expertise scaled into the zeitgeist
> Netscape dreamed of for SSL.  The other did not.  (Which is not to even
> mention the relative efficiency of RSApkc for key or cert verification.)
>
>         For MS, when it sometime later turned on a proverbial dime to focus
> on the Net and Netscape, it was probably an even easier decision to stay
> with RSApkc and not load IE with D-H_DSS or alternatives.  Redmond had
> already purchased full rights to use RSApkc and the sundry RC ciphers, and
> MS wanted the early IE to look just like Netscape's Navigator/Communicator;-)
>
>         RSADSI's management also recognized the potential of the Web early,
> and more clearly than many others.   RSADSI, which was then still a hungry,
> small, $10M/yr. crypto lab and and IP licensing firm -- not known for
> passing up cash on the table -- offered Netscape full no-royalty access to
> its public key and symmetric crypto in exchange for one percent of
> Netscape's equity.   (I think RSADSI also bet on SSL's then-strong
> competitor, S-HTTP, with a major investment in Terisa, now part of Spyrus.)
>
>         For a startup like Netscape, I presume the no-cash offer was
> attractive, maybe even irresistable... even if all the other factors had not
> lined up to tilt the SSL design team toward RSApkc.  This is all off the top
> of my head, but I think it is relatively accurate.  Comments and corrections
> from those directly involved in these events, or anyone else, would be very
> welcome.
>
>         Surete,
>                         _Vin
>
> ____________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    openssl-users () openssl org
> Automated List Manager                           majordomo () openssl org
>
> ---------------------------------------
>
> Date: Fri, 03 Dec 1999 14:25:25 -0800
> From: Tom Weinstein <tomw () geocast com>
> Organization: Geocast Network Systems
> To: Vin McLellan <vin () shore net>
> CC: openssl-users () openssl org,  cypherpunks () algebra com
> Subject: Re: Navigator, IE & RSApck-based SSL
>
>
> Vin McLellan wrote:
>
> >         Tom Weinstein <tomw () geocast com>, Netscape cryptographer in a
> > previous life, replied:
> >
> > > As a matter of fact, Netscape does support DSA certs, but I never had a
> > > chance to implement DH key exchanges.  The only reason I didn't
> > > implement it was lackof time.  Every time we did schedules, I'd put it on
> the
> > > list; every time, it would get knocked off the bottom by something else.
> > > The bottom line is thatthere were no customers busting down our doors
> > > screaming that they needed DH, so we didn't do it.
> >
> >         Maybe you could also comment on the original choice of RSApkc for
> > key exchange in the original SSL ciphersuite, Tom?  Paul? There are a 
> lot of
> > conspiratorial stories  (Can you believe that?!) which circulate about
> > RSADSI's nefarious Imperial schemes to rule the world, and how Netscape
> > and SSL were Jim Bidzos' bloody sword and shield;-)
> >
> >         My recollection is that a startup like Netscape in 1993, '94, or
> > even '95, would have been foolish to go with anything other than RSApkc for
> > key exchange.  Do you agree?
>
> I wasn't at Netscape at the time that SSL 1.0 and 2.0 were written, so my
> information for that period is not eyewitness testimony.  Be warned. :-)
>
> I think there were two major factors that motivated the choice of RSA.  First
> BSAFE was existing code that could just be used.  In a startup, it's very
> important that you not waste time reinventing wheels that you can buy off the
> shelf.  Finally, the most popular piece of crypto software at the time was 
> PGP,
> which also used RSA.
>
> --
> What is appropriate for the master is not appropriate| Tom Weinstein
> for the novice.  You must understand Tao before      | tomw () geocast com
> transcending structure.  -- The Tao of Programming   |
>
> ---------------------------------------------
>
> From: Sameer Parekh <sameer () bpm ai>
> Subject: Re: Navigator, IE & RSApck-based SSL
> To: openssl-users () openssl org
> Date: Fri, 3 Dec 1999 15:19:56 -0800 (PST)
> Cc: vin () shore net, openssl-users () openssl org, pkocher () cryptography com,
>         cypherpunks () algebra com
>
>
>
> > I think there were two major factors that motivated the choice of 
> RSA.  First
> > BSAFE was existing code that could just be used.  In a startup, it's very
> > important that you not waste time reinventing wheels that you can buy off
> > the shelf.  Finally, the most popular piece of crypto software at the time
> was
> > PGP, which also used RSA.
>
>         I share Tom's opinion that the decision at Netscape was not
> nearly as complex as Vin alludes to. I doubt there was a "conspiracy"
> but simple issues such as PGP, the existence of BSAFE, and perhaps an
> existing friendly relationship between Netscape and RSA senior
> management affected the decision much more than complex security
> policy concerns involving the NSA.
>
> --
> sameer
>
> --------------------------------------
>
> From: EKR <ekr () rtfm com>
> To: openssl-users () openssl org
> Cc: Tom Weinstein <tomw () geocast com>, pkocher () cryptography com,
>         cypherpunks () algebra com
> Subject: Re: Navigator, IE & RSApck-based SSL
> Date: 03 Dec 1999 16:37:17 -0800
>
>
> Vin McLellan <vin () shore net> writes:
>
> >         Maybe you could also comment on the original choice of RSApkc for
> > key exchange in the original SSL ciphersuite, Tom?  Paul? There are a 
> lot of
> > conspiratorial stories  (Can you believe that?!) which circulate about
> > RSADSI's nefarious Imperial schemes to rule the world, and how Netscape and
> > SSL were Jim Bidzos' bloody sword and shield;-)
>
> I'm not Tom or Paul, but as one of the S-HTTP designers and someone who
> saw very early SSL specs, I'll put in my $.02.
>
> At the time (94-95) getting DH was no easier than getting RSA due
> to the existence of PKP. Moreover, it was pretty clear that
> RSA was the popular choice: There were certificate formats (X.509)
> and an email format (PEM) based on it. From our perspective the
> DH/DSS situation was much less evolved. In point of fact, a very
> early draft of S-HTTP contained DH support, which was removed
> after Burt Kaliski pointed out to us that it was underspecified.
>
> Moreover, RSA/PKP was very unwilling to grant a patent
> license, preferring to sell you BSAFE and TIPEM, which were
> very biased towards RSA. The DSS support was nonexistent
> and the DH support (at least through BSAFE 3.0) was terrible.
> (In point of fact, despite the fact that BSAFE includes DH,
> when I added the the DH/DSS ciphersuites to Terisa's product,
> I wrote the code myself rather than using BSAFE's).
>
> 1998 seemed impossibly far away at the time and so it didn't
> even occur to us to worry about the DH patent expiring. This
> would not have been a convincing reason not to use RSA.
>
> -Ekr
>
> P.S. SSLv1 and v2 were not designed by Kocher et al. They were
> designed by Kipp Hickman (also a Netscape employee) in the
> fall of 1994.
>
> --
> [Eric Rescorla                                   ekr () rtfm com]
>
> ----------------------------------------------
>
> To: Tom Weinstein <tomw () geocast com>
> From: Vin McLellan <vin () shore net>
> Cc: openssl-users () openssl org, pkocher () cryptography com,
>         cypherpunks () algebra com
> Date: Fri, 3 Dec 1999 22:06:09 -0500
> Subject:  Re: Navigator, IE & RSApck-based SSL
>
>
>         According to a well-informed government source, Vin McLellan wrote:
>
> > >         Maybe you could also comment on the original choice of RSApkc for
> > > key exchange in the original SSL ciphersuite, Tom?  Paul? There are a 
> lot of
> > > conspiratorial stories  (Can you believe that?!) which circulate about
> > > RSADSI's nefarious Imperial schemes to rule the world, and how Netscape
> > > and SSL were Jim Bidzos' bloody sword and shield;-)
> > >
> > >         My recollection is that a startup like Netscape in 1993, '94, or
> > > even '95, would have been foolish to go with anything other than RSApkc
> > > for key exchange.  Do you agree?
>
>         Tom Weinstein <tomw () geocast com> graciously replied:
>
> > I wasn't at Netscape at the time that SSL 1.0 and 2.0 were written, so my
> > information for that period is not eyewitness testimony.  Be warned. :-)
> >
> > I think there were two major factors that motivated the choice of 
> RSA.  First
> > BSAFE was existing code that could just be used.  In a startup, it's very
> > important that you not waste time reinventing wheels that you can buy 
> off the
> > shelf.  Finally, the most popular piece of crypto software at the time 
> was PGP,
> > which also used RSA.
>
>
>         Thanks. I should have mentioned PGP and PEM, of course! Probably
> X509 and Rivest's MailSafe (to which PGP showed a remarkable 
> resemblence;-) too.
>
>         I also don't disagree with Eric Rescorla or Sameer Parekh, two savvy
> developers who stressed the importance of RSA's BSAFE toolkit, with its
> inevitable biases.
>
>         I was only rambling about the broader politech context as a way of
> explaining why DH with DSS (what many younger people today suggest was the
> obvious  alternative PKC for SSL) was not then, or for several years later,
> seen as a viable choice -- even if some prescient soul saw fit to factor the
> 1997 DH patent expiration into the design decision.
>
>         The fact that DH -- and Fortezza's KEA, whose shadow then should not
> be underestimated -- needed a royalty-free DSS was a major factor in the way
> a lot of American OEMs evaluated their options for PKI and PKC-enabled apps
> and products in 1994-1995.
>
>         My humble apologies (and grateful thanks also) to Kipp Hickman --
> the Netscape crypto engineer who designed SSL v.1 and v.2 -- whose name I
> should have mentioned.
>
>         _Vin
>
> -----------------------------------------
>
> Date: Fri, 03 Dec 1999 20:46:38 -0800
> From: Paul Kocher <paul () cryptography com>
> To: EKR <ekr () rtfm com>, openssl-users () openssl org
> Cc: Tom Weinstein <tomw () geocast com>, paul () cryptography com,
>         cypherpunks () algebra com
> References: <E11tzkz-0006pJ-00 () nautilus shore net>
> Subject:  Re: Navigator, IE & RSApck-based SSL
>
>
> Vin McLellan <vin () shore net> writes:
>
> > >         Maybe you could also comment on the original choice of RSApkc for
> > > key exchange in the original SSL ciphersuite, Tom?  Paul? There are a
> > > lot of conspiratorial stories  (Can you believe that?!) which circulate
> about
> > > RSADSI's nefarious Imperial schemes to rule the world, and how Netscape
> > > and SSL were Jim Bidzos' bloody sword and shield;-)
>
> At 04:37 PM 12/3/99 -0800, EKR wrote:
>
> > I'm not Tom or Paul, but as one of the S-HTTP designers and someone who
> > saw very early SSL specs, I'll put in my $.02.
> >
> > At the time (94-95) getting DH was no easier than getting RSA due
> > to the existence of PKP. Moreover, it was pretty clear that
> > RSA was the popular choice: There were certificate formats (X.509)
> > and an email format (PEM) based on it. From our perspective the
> > DH/DSS situation was much less evolved. In point of fact, a very
> > early draft of S-HTTP contained DH support, which was removed
> > after Burt Kaliski pointed out to us that it was underspecified.
> >
> > Moreover, RSA/PKP was very unwilling to grant a patent
> > license, preferring to sell you BSAFE and TIPEM, which were
> > very biased towards RSA. The DSS support was nonexistent
> > and the DH support (at least through BSAFE 3.0) was terrible.
> > (In point of fact, despite the fact that BSAFE includes DH,
> > when I added the the DH/DSS ciphersuites to Terisa's product,
> > I wrote the code myself rather than using BSAFE's).
> >
> > 1998 seemed impossibly far away at the time and so it didn't
> > even occur to us to worry about the DH patent expiring. This
> > would not have been a convincing reason not to use RSA.
> >
> > -Ekr
> >
> > P.S. SSLv1 and v2 were not designed by Kocher et al. They were
> > designed by Kipp Hickman (also a Netscape employee) in the
> > fall of 1994.
>
>
> This pretty much matches my take.  Although I wasn't involved with SSL 2,
> the choice of RSA makes sense even ignoring the licensing issues -- people
> trust the RSA algorithm, while DSA was relatively new and was the subject
> trustworthiness/patent status concerns.  The main purpose of SSL was
> to help people to trust the web with personal data like credit card numbers,
> so perceptions did matter.  Also, Verisign only supported RSA (no
> coincidence, since they were spun-off from RSA).
>
> On the SSL 3.0 design, Phil, Alan, and I had pretty much complete freedom to
> do whatever made sense, except that we had to support Fortezza and weak
> crypto (which none of us were enthusiastic about).  We did what we could 
> -- for
> example, each party uses a different 40-bit key to squeeze an extra bit
> of effective security, strong authentication is used no matter what algorithm
> is selected, etc.  For the benefit of non-web uses and standards bodies
> we added the non-RSA options, but never expected it to gain much use on
> the web.
>
> - Paul
>
>
>
> _________________________________________________________________
> Paul Kocher                             Cryptography Research, Inc.
> Tel: 415.397.0123 (fax: -0127)          607 Market St., 5th Floor
> E-mail: paul () cryptography com           San Francisco, CA 94105
>
> --------------------------------------