Vin McLellan <[EMAIL PROTECTED]> writes:
> Maybe you could also comment on the original choice of RSApkc for
> key exchange in the original SSL ciphersuite, Tom? Paul? There are a lot of
> conspiratorial stories (Can you believe that?!) which circulate about
> RSADSI's nefarious Imperial schemes to rule the world, and how Netscape and
> SSL were Jim Bidzos' bloody sword and shield;-)
I'm not Tom or Paul, but as one of the S-HTTP designers and someone who
saw very early SSL specs, I'll put in my $.02.
At the time (94-95) getting DH was no easier than getting RSA due
to the existence of PKP. Moreover, it was pretty clear that
RSA was the popular choice: There were certificate formats (X.509)
and an email format (PEM) based on it. From our perspective the
DH/DSS situation was much less evolved. In point of fact, a very
early draft of S-HTTP contained DH support, which was removed
after Burt Kaliski pointed out to us that it was underspecified.
Moreover, RSA/PKP was very unwilling to grant a patent
license, preferring to sell you BSAFE and TIPEM, which were
very biased towards RSA. The DSS support was nonexistent
and the DH support (at least through BSAFE 3.0) was terrible.
(In point of fact, despite the fact that BSAFE includes DH,
when I added the the DH/DSS ciphersuites to Terisa's product,
I wrote the code myself rather than using BSAFE's).
1998 seemed impossibly far away at the time and so it didn't
even occur to us to worry about the DH patent expiring. This
would not have been a convincing reason not to use RSA.
-Ekr
P.S. SSLv1 and v2 were not designed by Kocher et al. They were
designed by Kipp Hickman (also a Netscape employee) in the
fall of 1994.
--
[Eric Rescorla [EMAIL PROTECTED]]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
