GAK, Netscape, CyberDog

[Rzepa, Henry]

Dear All,

Its not my intention to deluge this particular list with conspicuously
non-chemical matters, but this just happened to come today. I
think it has profound implications for the chemistry and the
software developer community. It contains some URLs of
interest, so I think it worthwhile archiving on our list!


>>To: d2 at gemma.demon.co.uk
>>From: "by way of fm at fma.com (Fearghas McKay" <rah at shipwright.com>
>>Mmdf-Warning:  Parse error in original version of preceding line at
>>relay-3.mail.demon.net
>>Subject: GAK, Netscape, CyberDog, and you.
>>X-Smtp-Posting-Host: gemma.demon.co.uk [Mon, 4 Dec 95 21:09:11 GMT]
>>X-Smtp-Posting-Host: post.demon.co.uk [Mon, 4 Dec 95 21:10:54 GMT]
>>
>>Hi Semper Fi-ers!
>>
>>I've been lurking on this list for a long time, and I haven't said much
>>here primarily because I'm not a developer. I mean, I've hired developers,
>>and sold the software I've had them build for me. Not very well, I might
>>add, which is why I try do something else (talk and write) for a living
>>now. Frankly, I couldn't code my way out of a paper bag, which, of course,
>>is why I've not said much here. :-).
>>
>>Anyway, something has come up which I think makes the world very
>>interesting, and I think you should know about it.
>>
>>Netscape has come out in favor of what the government calls "key escrow",
>>but which most "cypher"-punks (and I seem to have become one over the last
>>year and a half) call GAK, for Government Access to Keys.
>>
>>Here's the URL: http://www.cnet.com/Central/News/govt.html . This is a news
>>report of a speech that Jim Clark gave at a trade show in Boston this week.
>>
>>Normally, as serious as this is in the rest of the world, that wouldn't
>>really rate a mention here, except for the fact that this presents a very
>>interesting set of opportunities for the *independent* Mac developer
>>community in the form of CyberDog, Apple's set of OpenDoc parts for the
>>internet. I'll get to that in a moment, but first, let me give you some
>>background on the problem.
>>
>>
>>Netscape's Jim Clark has quite a tightrope act going. He has a stock price
>>which gives Netscape a P/E ratio of something like 7,000 (the S&P average
>>right now is about 14), which means he really ought to get some revenue in
>>the door, or his investors are going to have his hide. The next thing is,
>>the government is a *really* big customer, and *they* want GAK, in case you
>>haven't noticed. ;-). Couple this with the fact that Netscape is pretty
>>much replicable by concentrated developer effort because its underlying
>>technology is an open standard, *and* the fact that any significant attempt
>>by them to create any real proprietary standards on the internet is
>>practically impossible in the long run, unless they get a whole lot of very
>>big customers in a hurry.
>>
>>Now, it looks like that's what happened already, because a lot of very
>>large companies have signed on to using Netscape servers, but you can also
>>see how really weak Netscape's position is when Uncle Sam knocks on their
>>door and asks for a key escrow "bug" in every "secure" Netscape web
>>session.
>>
>>This isn't the first time that Netscape has had problems with financial
>>cryptography and the law. Netscape made the papers recently because the
>>government-mandated SSL key-size in their export version was too small. (We
>>won't talk about the cognitive dissonance between the words "export" and
>>"internet" just yet...)  The "export" version of  Netscape Navigator got
>>cracked by a French grad student in a university computer lab, who broke it
>>just by running a bunch of background processes on his Sun workstations for
>>a couple days over a weekend. The ITARs, the arms export laws covering this
>>(cryptography is legally a munition, more cognitive dissonance), are a now
>>problem for everybody who wants to do business securely and safely on the
>>internet.
>>
>>More to the point, since digital bearer certificate technology, the most
>>economical method for doing business on the net, is entirely based on
>>digital signatures, which in turn are entirely based on very strong public
>>key cryptography, all business on the internet will eventually require very
>>strong cryptography. In other words, if you don't have unbreakable key
>>sizes, you can't issue digital certificates to pay for things with. It
>>would be like having paper money which is easy to forge.
>>
>>Lately, I like to say that "Digital Commerce *is* Financial Cryptography",
>>and it's true. First Virtual has the only truly "out of band" internet
>>transaction settlement mechanism, it's very well-designed, and very robust,
>>but you have to remember that they did it *because* of the ITARs, and the
>>complications for financial cryptography those regulations cause, no matter
>>how much First Virtual itself likes to "dis" financial cryptography as a
>>concept. Unfortunately, the transaction costs on such out-of-band methods
>>are always going to be higher because of the inefficiencies of not
>>instantly settling transactions, like you can with something like digital
>>cash. When you buy something in the store for cash, you initiate, settle
>>and clear the trade all at once, right there at the cash register, without
>>an audit trail to maintain. Frankly, *any* credit card trade is really an
>>"out-of-band" method, because it has to go off of the net to clear and
>>settle, with audit trails, and the overhead of their offsetting
>>book-entries.
>>
>>Fortunately, as governments start to figure this out, they will have to
>>stand back and let the economic train go by, so to speak.
>>
>>
>>So, having said all that, let's talk about OpenDoc and CyberDog.
>>
>>I hear that with CyberDog, building a secure Netscape-compatible browser in
>>OpenDoc is now pretty simple. That adding economically useful -- and
>>interchangable -- functionality like strong encryption, digital cash
>>protocols and most of the tools of digital commerce is also pretty
>>straightforward. That is, even though they have to be developed separately,
>>because Apple justifiably doesn't want to have the ITARs limiting its
>>export market for both OpenDoc and CyberDog. Again that cognitive
>>dissonance between "export" and "internet".
>>
>>In addition to building utterly secure browser-server links, I see some
>>interesting OpenDoc digital commerce applications coming out of a
>>Netscape-compatible browser. My favorite "flash" on this was imagining the
>>ability to drag Digicash ecash dollar bill icons out of a wallet and
>>dropping them on a cash-register icon in a web page to pay for a
>>transaction. That's certainly doable with OpenDoc and CyberDog.
>>
>>In addition, the IETF has just promulgated a secure link-level encryption
>>standard called IPSEC, which allows for encrypted links between any two
>>machines on the net, with any cryptographic method you want. That looks
>>like a great Open Transport Streams Module project to me. And the wierd
>>thing is, once IPSEC is out there, GAK in Netscape becomes moot, anyway.
>>Netscape can only shoot itself in the foot here, and it looks like they
>>already have, with a premature announcement of GAK.
>>
>>
>>One final thing about Netscape. It's not their fault. There is no evil
>>man-behind-the curtain in all of this. The government's doing what it
>>thinks necessary for the preservation of order, and thinks it needs GAK to
>>do that. Netscape is doing the best it can for its (newly rich)
>>stockholders, and thinks it needs to comply with Uncle Sam, which it
>>probably in fact has to do, or burst it's stock market price sooner, rather
>>than later.
>>
>>Also, there is no reason why Netscape can't make a Navigator OpenDoc part,
>>and I expect that they are planning to. I bet that Apple would really like
>>that, and as a matter of fact, is probably courting Netscape to do exactly
>>that.
>>
>>But I also know that by using OpenDoc and CyberDog, that the user can
>>create a very easy to use, flexible, extensible, and *powerful* internet
>>environment. Being there first with a Netscape-compatible browser,
>>especially one that doesn't have GAK built into it, will be worth a whole
>>lot in the marketplace for any enterprizing independent OpenDoc parts
>>developer.
>>
>>
>>I'm going to be giving a talk on Wednesday at noon at Apple's Town Hall, (4
>>Infinite Loop) in Cupertino about what I'm calling "geodesic" markets, that
>>is,  financial cryptography on the internet.  The URL for a web page with
>>all the details is
>>
>>http://thumper.vmeng.com/pub/rah/talk.html .
>>
>>In addition, if you want more stuff on financial cryptography, you might
>>want to try my e$ home page, which is in my .sig, below.
>>
>>Finally, I've asked an *actual* financial cryptographer, Eric Hughes, who
>>many of you may know from the cypherpunks mailgroup, and from the Clipper
>>fight, to show up at the Cupertino talk and bail me out on the real hard
>>questions.
>>
>>
>>Well, that's about it. Oh. The talk is titled "Financial Cryptography for
>>Dogs". I think you can see why, in light of the events of the last week,
>>it's quite appropriate.
>>
>>Cheers,
>>Bob Hettinga
>>
>>
>>
>>-----------------
>>Robert Hettinga (rah at shipwright.com)
>>e$, 44 Farquhar Street, Boston, MA 02131 USA (617) 958-3971
>>"Reality is not optional." --Thomas Sowell
>>The NEW(!) e$ Home Page: http://thumper.vmeng.com/pub/rah/
>>>>>>Phree Phil: Email: zldf at clark.net  http://www.netresponse.com/zldf <<<<<
>>
>>-------------------------------------
>>Macintosh Cryptography Interface Project...
>>To stop delivery of the list, send mail to <mcip-request at DeepEddy.com>
>>with the command "unsubscribe" in the message body.
>>For more info on the MCIP, MCIP software development or MacPGP, see:
>><http://uts.cc.utexas.edu/~grgcombs/htmls/crypto.html>

Dr Henry Rzepa,  Department of Chemistry,  Imperial College,  LONDON SW7 2AY;
rzepa at ic.ac.uk via Eudora Pro 2.1.3; Tel  (44) 171 594 5774; Fax: (44) 171
594 5804.
World-Wide Web URL: http://www.ch.ic.ac.uk/rzepa/