LDP
/
old-www
1
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity
old-www/LDP/LG/issue20/sameer.html

738 lines
34 KiB
HTML
Raw Permalink Blame History

<!--startcut ==========================================================-->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<title>Interview with Sameer Parekh Issue 20</title>
</HEAD>
<BODY BGCOLOR="#EEE1CC" TEXT="#000000" LINK="#0000FF" VLINK="#0020F0"
ALINK="#FF0000">
<!--endcut ============================================================-->
<H4>
&quot;Linux Gazette...<I>making Linux just a little more fun!</I>&quot;
</H4>
<P> <HR> <P>
<!--===================================================================-->
<center>
<H2>Interview with Sameer Parekh</H2>
<H4>By James T. Dennis,
<a href="mailto:info@starshine.com">info@starshine.com</a></H4>
</center>
<P><HR><P>
<I>Jim Dennis, "The Answer Guy" columnist for <I>Linux Gazette</I>
interviewed Sameer Parekh for us. Sameer Parekh is the founder
of C2Net Software Inc., <a href="http://www.c2.net">http://www.c2.net</a>,
the company
that imports the Stronghold web server. Stronghold has added
fully licensed commercial SSL support and other features
to the popular Apache web server.</I>
<p><B>Jim:</B> So how many platforms have you ported Stronghold to?
<p><B>Sameer:</B> We support almost 20 different forms of Unix.
<p><B>Jim:</B> Obviously Linux is one of them. Do you require a 2.x kernel?
<p><B>Sameer:</B> No. We support both the ELF and the a.out libraries. It works with
1.2 and 2.0, although we generally recommend using the latest stable
kernel.
<p><B>Jim:</B> Which version, or implementation, do you think is your biggest
volume seller? They're all priced the same right?
<p><B>Sameer:</B> Yeah, they're all priced the same. I think actually Linux is our
number one seller. Then, second to that, we have Solaris and Irix.
I haven't ... I really should do the numbers. I haven't done those
because we don't sell on a "per platform basis." We just sell a
Stronghold license, and they can use it on whatever platform they like.
<p><B>Jim:</B> Now you've got separate numbers for when people have gotten a
evaluation copy and when they've licensed it. About how many
evaluation copies are being downloaded every month?
<p><B>Sameer:</B> I couldn't tell you precise numbers ...
<p><B>Jim:</B> Just a ball park... are we talking about 100 per week, a 1000 per week ...
<p><B>Sameer:</B> On the order of 20 to 30 a day so that would come about to a
couple hundred per week or about 1000 per month.
<p>Netcraft shows that we have an installed base of about 20,000 on
the public Internet. But that includes the virtual hosts as well so
it's not 20,000 actual hosts, it's the number of domains served
by a Stronghold server. It's a sort of deceiving number because they're
only checking the non-SSL sites and a lot of people run Apache on
their unencrypted server and Stronghold on the encrypted server.
Many run Stronghold on both as well.
<p>Obviously since we have 20,000 unencrypted sites but there's probably a
higher number of people running Stronghold just on the encrypting
port of their site.
<p>Netcraft did a different survey of SSL servers where we came in
second. That is, for servers in general we came out second among
commercial Unix servers and fourth in commercial overall.
<p><B>Jim:</B> The Netcraft surveys that you've been referring to, is there a
link to those somewhere on your web pages?
<p><B>Sameer:</B> Well, it's at www.netcraft.com. I think the surveys are on our
site as well. I'm pretty proud of our Netcraft ratings so we mention
that pretty prominently.
<p><B>Jim:</B> What can you tell me about C2Net as an organization? I know you used to be
Community Connexions ...
<p><B>Sameer:</B> Yes, we started as an Internet provider, and a privacy provider --
protecting people's privacy on the Net. People could get anonymous
accounts, they could set up anonymous web pages. We were strong
supporters of the re-mailer network, we set up the anonymizer which
lets people browse the net anonymously through our proxy.
<p>That was going reasonably O.K. I was running it more as a hobby
in my spare time while I was a student at Berkeley. Then I left
school to start contracting at SGI down in the South Bay<sup>1</sup>.
<p>At the end of last year we came out with Stronghold, though it wasn't
called that at first. It was called "Apache-SSL U.S." and that started
going really well. It became clear that we'd do a lot better selling
cryptography products then w'd do at selling privacy services.
<p>The privacy services was going O.K. but it wasn't enough to become a
day job... it wasn't enough to get an office... it wasn't enough to
hire people... it was pretty much a one man operation out of my house
when it was just a privacy business.
<p>So, as it was obvious that we could do a lot better by selling and
deploying cryptography, we moved our focus away from the
privacy services and changed our name to c2.net to reflect that
change in focus and to concentrate primarily on deploying strong
cryptography worldwide. So, as of a few months back, we officially
had the name changed to C2Net Software Inc.
<p><B>Jim:</B> And you moved your customers over to Dave Sharnoff's idiom.com?
<p><B>Sameer:</B> ... we moved our dial-up customers over to idiom back, some time ago
like, last April or so--but we were still supporting the privacy
services until late last year when we move all of our web hosting and
anonymous account holders to Cyberpass which is down in San Diego
and is run by a cypherpunk<sup>2</sup> who is very active in privacy and in the
re-mailer network.
<p><B>Jim:</B> You mentioned that you do cryptography as your business and you
just mentioned the "cypherpunks" which is where you and I first
met--probably at one of the meetings on the Stanford Campus in
Palo Alto. It that where you find most of your employees?
<p><B>Sameer:</B> I get most of my employees from there and from people I know at
school and through other personal contacts and existing employee
referrals. So I think that, of the eleven employees I have, about
half of those I know through cypherpunks. We a pretty cypherpunks
oriented company.
<P>We're really the only company that's willing to deal with the fact
that what the US government is trying to do with their export restrictions
goes beyond just impeding or restricting export--but to create a chilling
effect so that companies inside the US cripple their cryptography even for
their domestic products. So we're one of the few, maybe the only company
in the U.S., that's standing up to this ... that isn't willing
to back down in the face of this chilling effect.
<p>I think a lot of my motivation is related to my involvement
with the cypherpunks and being involved during all the controversy
surrounding the clipper chip when that was first proposed.
<p>All of our development happens overseas so that we can do
cryptography worldwide and the international versions of our
products don't have to be crippled to 40-bit keys that can be broken in
three and a half hours.
<p><B>Jim:</B> So your approach is similar to what Jon Gilmore and Hugh Daniels are
doing with the Free S/WAN project--keeping the developers on the
other end and you're providing the quality assurance on this side...
<p><B>Sameer:</B> Well, we're providing mostly the marketing, actually, and the sales.
We do a little bit of QA but that's too close to the export issue. We
also do the documentation--that's all written in the U.S.
<p>The main benefit of having a U.S. office is the marketing and sales
even though all of the development has to happen overseas, all the
protocols and the standardization efforts, all that new stuff is
all in the U.S. Stronghold conforms to protocols developed and
published by Netscape, the W3 consortium and the IETF--among others.
<p><B>Jim:</B> Now, there's something I'm curious about. You've combined Apache and
SSLeay which is Eric A. Young's SSL<sup>3</sup> implementation--and those are what
you've integrated in Stronghold. Then you got a license from RSA
so you could include their public key libraries. So how did you
approach the Apache organization with the idea for a commercial
version of their free package? What kinds of licensing...
<P><B>Sameer:</B> Well, Apache is free under the Berkeley style license as opposed to
the GPL which means that, if I wanted to, I didn't have to have any
relationship with the Apache group. It's possible to just take Apache
and, according to their license, leave in the appropriate copyright
notices and just start selling a product.
<p>But that would be kind of rude I think. I'd been involved in the group
already before having any intention of changing the focus of my business.
I saw a need for an SSL version of Apache that would be available within
the U.S. So I started working on it and found SSLeay and I found
Ben Laurie's Apache-SSL patches, which he'd done in the UK, and I
integrated all of that for limited distribution within the U.S.
<p>So I had joined the Apache group for that. I already new many of the
Bay Area members socially. I became a contributor--though not as big
as the people who do large chunks of the code but I do testing and help
with the documentation. I have a tech writer who's a full-time employee
of C2Net who does documentation that she contributes back to the Apache group.
<p>I originally joined in an effort to support the group because I
think that free software is a great thing. As the product has started
doing well I think that our connection to the Apache group has been
mutually beneficial. Any bug reports we get from our customers go
back to them, any bugs we find, we fix and donate back. A large number
of the features we've added we've also donated back. Naturally we haven't
donated *all* the features since we need to maintain some proprietary
value because we need to make some money as well.
<p><B>Jim:</B> Did you talk to Eric Young?
<p><B>Sameer:</B> Yes. We're in close contact with Eric. We work really well with him.
<p><B>Jim:</B> I'm not familiar with his licensing...
<P><B>Sameer:</B> Yes, both his and Ben Laurie's are very Berkeley style licenses.
They are free software for commercial and non-commercial use--you
just have to give credit. So in our marketing materials, documentation,
and on our web pages it says "this product contains software written by
Eric Young, and by the Apache Group" ... that sort of thing.
<p><B>Jim:</B> So what do you think about the GPL vs. Berkeley issue. I know this is
an ongoing bone of contention between the FreeBSD and Linux camps.
<P><B>Sameer:</B> I'm generally in favor of Berkeley over GPL because I
think that free
software is best done in a variety of different contexts.
In particular with the crypto environment, it's impossible to do
completely free software inside the U.S., if it involve any public key
techniques, because of the patents<sup>4</sup>.
<p>So for doing crypto inside the U.S., because of the intellectual property
issues and the patent environment, it's impossible to release products
under GPL. I think that the fewer restrictions we place on our software
the more people will use it.
<p>The reason I would write free software is so that people will use it.
If you put complex restrictions on your software saying that you can't
sell any derivatives of it unless.... you create a lot of worry.
<p>Perhaps the motivations of the people writing GPL software are not
just to make it widely used. That's valid. But it doesn't match
my personal motivations for releasing free software. It's clear that
it should be properly credited and have some controls. I don't think
things should be released to the public domain.
<p>Well, I do see a lot of debate about that question--particularly on
the FreeBSD mailing list. I suspect the debate and flame wars on that
will go on forever.
<p><B>Jim:</B> So, how many people have you got working here?
<p><B>Sameer:</B> We have nine people here in the U.S. and two people abroad and then
we have a couple of contractors. That comes out to about 14 or so.
<p><B>Jim:</B> And where are your international programmers?
<P><B>Sameer:</B> We don't say.
We don't want the U.S. government and others to know which country they're
in. They might then put pressure on that country to add export restrictions
to their laws.
<p>This administration has appointed a person, David Aaron, whose sole job
is to convince other countries to adopt similar restrictions to ours--so
that our strategy won't continue to work. Obviously if all other
countries had similar export restrictions than doing development in
any given one would only allow sales in that locale. That would
be pointless in a global economy.
<p>So they have this guy, David Aaron, who effectively harasses and
bullies other countries into adopting restrictions for US interests.
We want to ensure that he can't target the country where we are doing
our development.
<p><B>Jim:</B> And no one from our government's asked? Have you had any official
contact yet?
<p><B>Sameer:</B> No. Not yet.
<p><B>Jim:</B> Do you know of other companies that have?
<p><B>Sameer:</B> I've heard a lot of rumors from companies who've had visits
from the NSA saying "what you're doing is wrong, you should
stop it or it will do bad things to the rest of your business."
<p>They can't do that to me because I have no other business. We do
cryptography and we're at odds with export restrictions on intellectual
property.
<p><B>Jim:</B> So, would you see that as your edge against Microsoft, Netscape and Sun --
that they would have other aspects of their business that might get
severely hampered by the fight against cryptography export restrictions.
<p><B>Sameer:</B> Well. It's not worth it to them. It doesn't make good business
sense for them. At the same time it is a business necessity for us.
So any company that doesn't want to fight this battle can offload
that onto us. They can license our software--and their offshore
distribution agents can also license our software and they don't have
to do any development. They don't have to put their business at risk
over questions of cryptography technologies.
<p><B>Jim:</B> I see. Speaking of other cryptographers, I hear that Phil Zimmerman
just moved to the Bay Area to found PGP Inc.
Do you have any contact with him?
<P><B>Sameer:</B> No. We don't currently have any professional contact with them.
<P><B>Jim:</B> I'm confused about what happened there. Phil licensed the commercial
rights to PGP to a company called ViaCrypt ...
<p><B>Sameer:</B> ... then he bought ViaCrypt--actually their parent company.
<P><B>Jim:</B> That's what I thought I'd read.
So what other products are you working on?
<P><B>Sameer:</B> Well we have our "Safe Passage" web proxy. This does full strength
SSL for web browsers world wide. It's currently in beta and is
available at our U.K. site.
<p>That provides a locally hosted proxy to provide full strength
cryptographic capabilities to the international versions of Netscape
and Microsoft browsers. As you know those are limited to 40-bit
crypto when sold outside of the U.S.--denying them access to sites
that require the domestically available stronger keys.
<p>Basically Safe Passage allows a user's browser to talk 40 bit to the
proxy on their system which, in turn talks to hosts out on the web.
It runs under Windows.
<p><B>Jim:</B> So what do you think of the Free S/WAN project<sup>5</sup>
<P><B>Sameer:</B> I think it's a good thing. We need to provide IP level encryption
in addition to the applications specific security provided by programs
like Stronghold or PGP. With regards to our product line, we haven't
evaluated how that might fit into our strategy. So I don't have any
comment from a business perspective.
<p>However I think, from a more personal point of view, that producing
a freely available implementation of IP level encryption is a great thing.
We want this deployed so that all of the Internet traffic is encrypted
and especially so it's authenticated.
<p><B>Jim:</B> Getting back to Stronghold as a "commercially supported
Apache Server" and
leaving aside it's support for SSL and commerce... are there any
companies offering just that--just a commercially packaged Apache?
<p><B>Sameer:</B> There are companies that offer Apache support services--but there aren't
any that sell a supported package--where you'd get a shrink-wrapped box,
with binaries, and pre-printed documentation, or anything like that.
So these companies just offer the service. We offer a product--which
includes e-mail support, of course.
<p>Cygnus was doing some Apache support as well but I believe they may have
dropped that. Then there was a company in South Africa, Thawte, which
had a product called Sioux. We ended up buying that out and integrating
its features with Stronghold's.
<p>Sioux was released a few months after we had produced "Apache SSL
U.S."
We started talking to Thawte--and decided to buy that product from
them to eliminate any conflict of interest for some other business
that we wanted to do with them.
<p>You see Thawte's primary business is as a CA (certification authority).
So it was an amicable arrangement since it wasn't the software business
that they wanted to get into.
<p>So we are now bundling Thawte certificates with a Stronghold package.
That's only fifty dollars more--which is about half the regular price
of a Thawte.
<p><B>Jim:</B> So do you find that many of your customers have to go with
Verisign<sup>6</sup> for other reasons?
<p><B>Sameer:</B> Well, Thawte is gaining in popularity though their certificates are
only accepted in the latest browsers from Netscape and Microsoft.
So support for older versions of Netscape is probably the main reason
people had been choosing Verisign over Thawte. As the PKI
certification<sup>7</sup>
authority marketplace matures I hope that people will be able to choose
their CA's based on reputation rather than being stuck with whatever the
browser makers supported.
<p>Right now all of the CA's are too new to have any reputations.
So far Verisign is known to be well funded and Thawte is thought of
as a very small company. As far as I can tell they don't have
any reputation with respect to which is more reliable.
<p>The market will have to mature, and they will each have to have time
to build up a track record before people will be able to make informed
decisions.
<P><B>Jim:</B> Now, back when we were talking about support you mentioned that
the e-mail support is included with Stronghold and that telephone support
unbundled from it. What kind of support call volumes are you getting?
Are you getting a lot of calls?
<P><B>Sameer:</B> Not at all. We have an installed base of something like 20,000 according
to Netcraft--and we only about three people doing support and...
<p>... there's no person who just does support. We're a small company so
everyone does a lot of different things. But we have three people who
mostly do support and two people with the word "support" in their
title.
<p>So the support load isn't very high. I think that's because the product
is actually very easy to use, it's intuitive and it's easy to install.
<p>Although we sold some phone support we really prefer e-mail. People get
answers that are more fully formulated and they don't have to wait on hold.
Also when we use e-mail then everything is tracked and recorded so it's
easy to look back on what's been tried and it's easy to forward the issue
around as needed.
<p>We've been pretty successful steering people toward e-mail support so they
don't have to buy the phone support.
<P><B>Jim:</B> So I've been reading in the apache's modules lists about these
php's, what are those?
<P><B>Sameer:</B> php originally stood for "Personal Home Page"--but
it doesn't really
mean that any more, so it's just php and doesn't really stand for
anything.
<p>php is a specific module with does dynamic content--which is the
phrase I like to use for things like server side includes, and extended
ssi, php, e-perl and all of these things. They are all providing
dynamic content--where the page is parsed by the server and the
data that's sent to the client is based on the scripting that's inside
the original document.
<p>php is what we like to use because it's easy to use, it's very robust and
it offers connectivity to almost every database out there. well I should
say that--there are a lot of databases "out there". It can connect to
postgres '95, msql, solid, sybase, odbc, c, etc.
<p>It's a way to embed scripting inside of your html. So, for example, you can
have conditional sections what will include blocks of html based on the
results of certain pieces of code. You can have an HTML page which does
a database query and formats and sends information out of the database.
If offers significant speed advantages over CGI since it's loaded directly
into the web server. You save the load of forking off a Perl process like
you'd usually get with CGI.
<p>So Stronghold 2.0 bundles with the php module. That's in beta now.
We've been using php quite a bit in house for out database connectivity
and our external web site. It's very useful.
<p>We also support the server side includes--which were in the early
CERN server. Stronghold is based on Apache which also includes the
"extended SSI". XSSI adds things like conditionals.
<p><B>Jim:</B> So you think these sorts of tools are better than CGI?
<p><B>Sameer:</B> Yeah. It's a lot easier to build applications--particularly where
it's not a complicated application--where you just want to include
a little scripting directly in your HTML. If you use a CGI script--the
script has to output all of the HTML. It's just as transparent
to the browser--but it's a lot faster, and it's a lot easier for the
web administrator to maintain.
<P><B>Jim:</B> On a different tack, you've got a proxying client that brings international
versions of the standard browsers up to domestic standards of cryptographic
strength. that puts you pretty close to the browsers. Where do you see
the browser market going? In the browser wars what would you like to see
come out of it?
<P><B>Sameer:</B> Hmm. That's tough to say. I think there's no alternatives to the
Netscape and Microsoft browsers at this point. It's hard to say if
one will destroy the other. It's such an open subject, maybe you could
be a bit more specific?
<p><B>Jim:</B> Well--do you see Java doing anything significant
<p><B>Sameer:</B> I think Java has some potential for distributed computing. it has a long
way to go. it's rather unfortunate Microsoft has decided to create it's
own proprietary version of Java.
<p>Then there's javascript--which isn't Java at all. So Netscape's decision
to rename live script to "java"-script and that's added confusion to an
already confused marketplace.
<p>I think javascript is interesting because there are a lot of potential
security problems in it's design.
Some versions of Java have implementation problems. Those can be
fixed. The design of Java pays due care to security considerations.
<p>However when a language like javascript is designed with out any
security in mind--you can't fix it.
<p><B>Jim:</B> In other words "implementations can't fix fundamental
design flaws."
<p><B>Sameer:</B> So the danger is that it [javascript] has a similar name [to Java]--
and it is useful for building Intranet applications where hostile
applications are not a security concern. So javascript can be used
to connect to internal HR data applications or to an order entry
system and make the interaction a lot easier.
<p>Javascript's features allow you to make your client more active--so
the user doesn't have to send everything to the server to get
feedback from your web forms.
<p>The problem is that there is currently no provision to restrict
the browser--to say "I'll accept javascript from within my network but
not anything from anywhere else" or "I'm willing to accept javascript
from these people but not them."
<p>Once it gets to that point I think javascript will have more of a
future and offer real benefits.
<P><B>Jim:</B> Could you add those features to your client side proxy--the
filtering that is?
<p><B>Sameer:</B> It could be done. It would be a lot of work and I'm not sure there'd
be enough of a market for it. I think it's best done in the browser.
<P>Hopefully Netscape will add that to their features set soon.
<p>I usually have Javascript disable--but I see some cases where
I'd like to use it. If I could just turn it on for those applications
it would be very nice.
<p>Java is much closer to secure deployment and authentication.
<p><B>Jim:</B> Speaking of authentication--I have a question about SSL.
Currently the whole SSL view of the world, brought to us by the
Netscape Commerce Server, is all about the server authenticating
itself to the client--about web sites saying "You've reached
me--and not some imposter and there's no <I>man-in-the-middle</I> and we can
exchange information privately."
<p>This doesn't seem to offer anything for the client to authenticate
itself to the server other than manually typed passwords. So maybe
that's a feature that we'd like to see in the browsers--is some sort
of client authentication certificates for SSL.
<p><B>Sameer:</B> Actually that's already in there. Stronghold already supports client
authentication. the SSL protocol added that in version 2. Netscape
supports client certificate authentication starting with Navigator version 3
which is built about SSL version 3.
<p>Stronghold was the first widely used, commercial server to support
SSL client authentication. So now that we have the support in the
browser and our server it's only a question of user acceptance and
getting sites to start using it.
<p>I think that the SSL client auth. is an excellent technology. We're
using it extensively here at C2Net. Because we have people from all over
the world we can't really have this big private WAN and we can't set
up a VPN<sup>8</sup> using something like Free S/WAN--because it isn't even ready
yet.
<p>So we issue client certificates to all of our employees. We have a
Stronghold web server where our sensitive information is stored and
an employee can connect to that server from wherever they are on the
Internet and access business information. They are protected by full-strength
cryptography and RSA encryption on the client side.
<p>It's an incredibly empowering technology because we don't have to worry about
making people come into the office to get this information. they can do it
from home and the can do it securely.
<p><B>Jim:</B> So you don't have to worry about static IP addresses, and boring holes
in your firewall and packet sniffers on your ISP's routers, and ....
<p><B>Sameer:</B> Right. As long as they have their client certificate on
their laptop. You know I have a ricochet [ed. note: Metricom Ricochet are wireless
modems that are popular in the Bay Area because they offer flat
rate unlimited wireless PPP to modem users]--and I can do anything
from my laptop through that.
<p>I can review support questions, work in the bug tracking database,
I use SSL to do logins. That isn't a product of ours.
<p><B>Jim:</B> I met Tatu Ylongen, author of ssh, at the IETF a couple of months ago.
He's started his own company, too. I guess he does all the development
and has Data Fellows doing all of the licensing.
<P><B>Sameer:</B> That's right. Data Fellows is doing all of the sales and marketing
while he's doing the development.
<p><B>Jim:</B> So do you see C2Net coming out with, maybe, an ssltelnet and sslftp to
compete with ssh?
<p><B>Sameer:</B> Well, we can talk about all the details of all our product ideas.
there already is an ssltelnet and sslftp. nobody's supporting them
and nobody's using them yet.
<p>So I think, that as far as encrypting, secure shell logins and file
transfers ssh is the best product out there. Although it's a different
authentication protocol, not like the SSL between my browser and my
web server--but it is RSA based and I can use my copy of ssh through
my ricochet and login to my servers here.
<p><B>Jim:</B> So, if you were to configure all your systems here--presumably all
Unix boxes, and you took out all of the unencrypted and weakly
authenticated services you could almost run without any packet filters
or firewalls--except to prevent address spoofing.
<p><B>Sameer:</B> We have packet filters on all the non-encrypted services--because
there are still a number of useful services for use just within the
private network. We don't allow any non-encrypted packets to pass
through.
<p>We allow ssh for logins and SSL for employee access to our internal
web servers. Those both offer strong authentication--and the SSL
is only accessible to people who have a C2Net employee certificate
installed on their system.
<p><B>Jim:</B> Does the Netscape navigator support a "pass phrase" to unlock the
locally installed certificates, like PGP does with your signature
keys?
<p><B>Sameer:</B> Yes, it has some system where you use a pass phrase to encrypt your
private keys.
<P><B>Jim:</B> So if you lose a laptop you don't have to run right into the office
to revoke those certificates. Hopefully their crypto on that is
strong enough to give you a few hours.
<p><B>Sameer:</B> I'm not sure what they use. Safe Passage uses DES [ed. note DES=
Data Encryption Standard] You see browsers that support client
certificates have to do RSA key generation. So the international
versions are limited to 512 bits for the key. That means that
Safe Passage has to proxy the support for the SSL client authentication
as well. That puts the international client on an even footing
with any of the domestic browsers since Safe Passage is actually
connecting to the web servers for the browsers.
<p>Another benefit of using Safe Passage is that it provides an
integrated location for all your certificate keys if your using
different browsers.
<p>One of the problems with client certificates right now is that Netscape
and Microsoft don't have a published interface for managing the keys
that are installed in each. In other words if you've have a certificate
in Navigator you can't transfer it to your copy of Internet Explorer and
if you have a Navigator SMIME<sup>9</sup> you can't transfer it into Eudora.
<p>So Safe Passage helps by allowing you to use just one certificate
database. We plan to offer an easy way to extract those certificates --
though we haven't figured out quite what that will be, yet.
<p>There are standards emerging on how to do this--and we will be supporting
those standards, of course.
<P><B>Jim:</B> Now this proxy is only available for Win 95, and NT
<P><B>Sameer:</B> ... and Win 3.1
<P><B>Jim:</B> Are you planning on release a Unix/Linux version of that
<p><B>Sameer:</B> Making it available for Unix wouldn't be difficult. It was actually
prototyped under Unix and then ported to Windows and there a graphical
interface was added to it.
<p>However, there isn't much of a market demand, and we are a small company,
so we can't afford to support Unix and Mac on it for now. We'll need to
get some more resources before we could broaden that support--as much
as I'd like to do it.
<p><B>Jim:</B> So, what else can you think of that just HAS to be said?
<p><B>Sameer:</B> The key thing that we, at C2Net, are focusing on is the worldwide
deployment of cryptography. I think it's vital that we deploy
strong crypto worldwide in the very near future.
<p>The U.S. government has made it clear that their intent is to make
the personal use of strong cryptography completely illegal. So, the
deployment has to happen before they do that. If these crypto
products aren't ubiquitous before that we'll have a have a much harder
time in protecting our privacy.
<p>I see cryptography being used for much more interesting things than
just protecting credit cards. While I think that it's prudent to
encrypt your credit card number before sending it over the 'net--it's
not an interesting application of strong cryptography.
<p>So we want to build an infrastructure so that restrictions on personal
use of privacy technology will have major business implications ... so
that privacy itself cannot be made illegal.
<h5>Footnote 1. An area in the San Francisco Bay area--near Silicon Valley.</h5>
<h5>Footnote 2. "cypherpunks" is a mailing list for the discussion of the
politics, technologies and soceal ramifications fo cryptography and privacy
issues--members of the list in various cities meet in person on a regular
basis.</h5>
<h5>Footnote 3. SSL, "secure sockets layer", is the specification
for encrypted and authenticated communications--proposed to
the IETF (Internet Engineering Task Force) by Netscape</h5>
<h5>Footnote 4. RSA holds a suite of patents which cover almost all known
forms of public key encryption--patents are much different than copyrights
in that a re-implementation of the same algorithm--is still covered</h5>
<h5>Footnote 5. S/WAN is a "secure wide-area networking" protocol from RSA--Free
S/WAN is a work in progress and being imported by another group of
cypherpunks and John Gilmore of the EFF</h5>
<h5>Footnote 6. Verisign is another CA--particularly for SSL certificates.</h5>
<h5>Footnote 7. PKI = Public Key Infrastructure--CA's are the certificate
authorities which verify identity and message integrity using public
key cryptographic algorithms. They act as neutral third-parties in
web and other Internet transactions and "vouch" for the authenticity
of a web site when a secure session is initiated</h5>
<h5>Footnote 8. VPN is the virtual private network-- using IP tunneling
and encryption to create "virtual" WAN links across the Internet</h5>
<h5>Footnote 9. SMIME is the Secure Multi-part Internet
Mail Extensions--that's MIME with digital signatures and message
authentication coding</h5>
<!--===================================================================-->
<P> <hr> <P>
<center><H5>Copyright &copy; 1997, Jim Dennis<BR>
Published in Issue 20 of the Linux Gazette, August 1997</H5></center>
<!--===================================================================-->
<P> <hr> <P>
<A HREF="./index.html"><IMG ALIGN=BOTTOM SRC="../gx/indexnew.gif"
ALT="[ TABLE OF CONTENTS ]"></A>
<A HREF="../index.html"><IMG ALIGN=BOTTOM SRC="../gx/homenew.gif"
ALT="[ FRONT PAGE ]"></A>
<A HREF="./latex.html"><IMG SRC="../gx/back2.gif"
ALT=" Back "></A>
<A HREF="./rcs.html"><IMG SRC="../gx/fwd.gif" ALT=" Next "></A>
<P> <hr> <P>
<!--startcut ==========================================================-->
</BODY>
</HTML>
<!--endcut ============================================================-->
Reference in New Issue View Git Blame Copy Permalink