At 04:37 PM 12/3/99 -0800, EKR wrote:
>Vin McLellan <[EMAIL PROTECTED]> writes:
> > Maybe you could also comment on the original choice of RSApkc for
> > key exchange in the original SSL ciphersuite, Tom? Paul? There are a
> lot of
> > conspiratorial stories (Can you believe that?!) which circulate about
> > RSADSI's nefarious Imperial schemes to rule the world, and how Netscape and
> > SSL were Jim Bidzos' bloody sword and shield;-)
>I'm not Tom or Paul, but as one of the S-HTTP designers and someone who
>saw very early SSL specs, I'll put in my $.02.
>
>At the time (94-95) getting DH was no easier than getting RSA due
>to the existence of PKP. Moreover, it was pretty clear that
>RSA was the popular choice: There were certificate formats (X.509)
>and an email format (PEM) based on it. From our perspective the
>DH/DSS situation was much less evolved. In point of fact, a very
>early draft of S-HTTP contained DH support, which was removed
>after Burt Kaliski pointed out to us that it was underspecified.
>
>Moreover, RSA/PKP was very unwilling to grant a patent
>license, preferring to sell you BSAFE and TIPEM, which were
>very biased towards RSA. The DSS support was nonexistent
>and the DH support (at least through BSAFE 3.0) was terrible.
>(In point of fact, despite the fact that BSAFE includes DH,
>when I added the the DH/DSS ciphersuites to Terisa's product,
>I wrote the code myself rather than using BSAFE's).
>
>1998 seemed impossibly far away at the time and so it didn't
>even occur to us to worry about the DH patent expiring. This
>would not have been a convincing reason not to use RSA.
>
>-Ekr
>
>P.S. SSLv1 and v2 were not designed by Kocher et al. They were
>designed by Kipp Hickman (also a Netscape employee) in the
>fall of 1994.
This pretty much matches my take. Although I wasn't involved with SSL 2,
the choice of RSA makes sense even ignoring the licensing issues -- people
trust the RSA algorithm, while DSA was relatively new and was the subject
trustworthiness/patent status concerns. The main purpose of SSL was
to help people to trust the web with personal data like credit card numbers,
so perceptions did matter. Also, Verisign only supported RSA (no coincidence,
since they were spun-off from RSA).
On the SSL 3.0 design, Phil, Alan, and I had pretty much complete freedom to
do whatever made sense, except that we had to support Fortezza and weak crypto
(which none of us were enthusiastic about). We did what we could -- for
example, each party uses a different 40-bit key to squeeze an extra bit
of effective security, strong authentication is used no matter what algorithm
is selected, etc. For the benefit of non-web uses and standards bodies
we added the non-RSA options, but never expected it to gain much use on
the web.
- Paul
_________________________________________________________________
Paul Kocher Cryptography Research, Inc.
Tel: 415.397.0123 (fax: -0127) 607 Market St., 5th Floor
E-mail: [EMAIL PROTECTED] San Francisco, CA 94105
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
