GAK, Netscape, CyberDog, and you

  Locations of visitors to this page
be notified of website changes? subscribe
Crypto Freedom!

 

Privacy

Zimmermann Legal Defense

Who Are We?

Rogues Gallery

We Win!

Original Appeal

Yellow Ribbon

Funding USA

Funding Europe

Correspondence

Liason Editorial

CypherPunks

Pretty Good Privacy

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

GAK, Netscape, CyberDog, and you

From: rah@SHIPWRIGHT.COM (Robert Hettinga)
Date: Fri, 1 Dec 1995 13:36:46 -0500
Subject: GAK, Netscape, CyberDog, and you.

Hi Semper Fi-ers!

I've been lurking on this list for a long time, and I haven't said much here primarily because I'm not a developer. I mean, I've hired developers, and sold the software I've had them build for me. Not very well, I might add, which is why I try do something else (talk and write) for a living now. Frankly, I couldn't code my way out of a paper bag, which, of course, is why I've not said much here. :-).

Anyway, something has come up which I think makes the world very interesting, and I think you should know about it.

Netscape has come out in favor of what the government calls "key escrow", but which most "cypher"-punks (and I seem to have become one over the last year and a half) call GAK, for Government Access to Keys.

Normally, as serious as this is in the rest of the world, that wouldn't really rate a mention here, except for the fact that this presents a very interesting set of opportunities for the *independent* Mac developer community in the form of CyberDog, Apple's set of OpenDoc parts for the internet. I'll get to that in a moment, but first, let me give you some background on the problem.

Netscape's Jim Clark has quite a tightrope act going. He has a stock price which gives Netscape a P/E ratio of something like 7,000 (the S&P average right now is about 14), which means he really ought to get some revenue in the door, or his investors are going to have his hide. The next thing is, the government is a *really* big customer, and *they* want GAK, in case you haven't noticed. ;-). Couple this with the fact that Netscape is pretty much replicable by concentrated developer effort because its underlying technology is an open standard, *and* the fact that any significant attempt by them to create any real proprietary standards on the internet is practically impossible in the long run, unless they get a whole lot of very big customers in a hurry.

Now, it looks like that's what happened already, because a lot of very large companies have signed on to using Netscape servers, but you can also see how really weak Netscape's position is when Uncle Sam knocks on their door and asks for a key escrow "bug" in every "secure" Netscape web session.

This isn't the first time that Netscape has had problems with financial cryptography and the law. Netscape made the papers recently because the government-mandated SSL key-size in their export version was too small. (We won't talk about the cognitive dissonance between the words "export" and "internet" just yet...) The "export" version of Netscape Navigator got cracked by a French grad student in a university computer lab, who broke it just by running a bunch of background processes on his Sun workstations for a couple days over a weekend. The ITARs, the arms export laws covering this (cryptography is legally a munition, more cognitive dissonance), are a now problem for everybody who wants to do business securely and safely on the internet.

More to the point, since digital bearer certificate technology, the most economical method for doing business on the net, is entirely based on digital signatures, which in turn are entirely based on very strong public key cryptography, all business on the internet will eventually require very strong cryptography. In other words, if you don't have unbreakable key sizes, you can't issue digital certificates to pay for things with. It would be like having paper money which is easy to forge.

Lately, I like to say that "Digital Commerce *is* Financial Cryptography", and it's true. First Virtual has the only truly "out of band" internet transaction settlement mechanism, it's very well-designed, and very robust, but you have to remember that they did it *because* of the ITARs, and the complications for financial cryptography those regulations cause, no matter how much First Virtual itself likes to "dis" financial cryptography as a concept. Unfortunately, the transaction costs on such out-of-band methods are always going to be higher because of the inefficiencies of not instantly settling transactions, like you can with something like digital cash. When you buy something in the store for cash, you initiate, settle and clear the trade all at once, right there at the cash register, without an audit trail to maintain. Frankly, *any* credit card trade is really an "out-of-band" method, because it has to go off of the net to clear and settle, with audit trails, and the overhead of their offsetting book-entries.

Fortunately, as governments start to figure this out, they will have to stand back and let the economic train go by, so to speak.

So, having said all that, let's talk about OpenDoc and CyberDog.

I hear that with CyberDog, building a secure Netscape-compatible browser in OpenDoc is now pretty simple. That adding economically useful -- and interchangable -- functionality like strong encryption, digital cash protocols and most of the tools of digital commerce is also pretty straightforward. That is, even though they have to be developed separately, because Apple justifiably doesn't want to have the ITARs limiting its export market for both OpenDoc and CyberDog. Again that cognitive dissonance between "export" and "internet".

In addition to building utterly secure browser-server links, I see some interesting OpenDoc digital commerce applications coming out of a Netscape-compatible browser. My favorite "flash" on this was imagining the ability to drag Digicash ecash dollar bill icons out of a wallet and dropping them on a cash-register icon in a web page to pay for a transaction. That's certainly doable with OpenDoc and CyberDog.

In addition, the IETF has just promulgated a secure link-level encryption standard called IPSEC, which allows for encrypted links between any two machines on the net, with any cryptographic method you want. That looks like a great Open Transport Streams Module project to me. And the wierd thing is, once IPSEC is out there, GAK in Netscape becomes moot, anyway. Netscape can only shoot itself in the foot here, and it looks like they already have, with a premature announcement of GAK.

One final thing about Netscape. It's not their fault. There is no evil man-behind-the curtain in all of this. The government's doing what it thinks necessary for the preservation of order, and thinks it needs GAK to do that. Netscape is doing the best it can for its (newly rich) stockholders, and thinks it needs to comply with Uncle Sam, which it probably in fact has to do, or burst it's stock market price sooner, rather than later.

Also, there is no reason why Netscape can't make a Navigator OpenDoc part, and I expect that they are planning to. I bet that Apple would really like that, and as a matter of fact, is probably courting Netscape to do exactly that.

But I also know that by using OpenDoc and CyberDog, that the user can create a very easy to use, flexible, extensible, and *powerful* internet environment. Being there first with a Netscape-compatible browser, especially one that doesn't have GAK built into it, will be worth a whole lot in the marketplace for any enterprizing independent OpenDoc parts developer.

I'm going to be giving a talk on Wednesday at noon at Apple's Town Hall, (4 Infinite Loop) in Cupertino about what I'm calling "geodesic" markets, that is, financial cryptography on the internet. The URL for a web page with all the details is

http://thumper.vmeng.com/pub/rah/talk.html

In addition, if you want more stuff on financial cryptography, you might want to try my e$ home page, which is in my .sig, below.

Finally, I've asked an *actual* financial cryptographer, Eric Hughes, who many of you may know from the cypherpunks mailgroup, and from the Clipper fight, to show up at the Cupertino talk and bail me out on the real hard questions.

Well, that's about it. Oh. The talk is titled "Financial Cryptography for Dogs". I think you can see why, in light of the events of the last week, it's quite appropriate.

Cheers,
Bob Hettinga

--
Robert Hettinga (rah@shipwright.com)
e$, 44 Farquhar Street, Boston, MA 02131 USA (617) 958-3971
"Reality is not optional." --Thomas Sowell
The NEW(!) e$ Home Page: http://thumper.vmeng.com/pub/rah/
Phree Phil: Email: zldf@clark.net http://www.netresponse.com/zldf

Have you found errors nontrivial or marginal, factual, analytical and illogical, arithmetical, temporal, or even typographical? Please let me know; drop me email. Thanks!
 
What's New?  •  Search this Site  •  Website Map
Travel  •  Burning Man  •  San Francisco
Kilts! Kilts! Kilts!  •  Macintosh  •  Technology  •  CU-SeeMe
This page is copyrighted 1993-2008 by Lila, Isaac, Rose, and Mickey Sattler. All rights reserved.