[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Public key crypto

Date: Fri, 10 Jan 1997 17:38:48 -0800 (PST)
From: Kent Crispin <kent@songbird.com>
Subject: Re: Public key crypto

Rick H. Wesson allegedly said:
> 
> Kent,
> 
> The use of pgp by the population at large may be ok, in some counrties
> it is not. Use of pgp by the regestries would be strictly illegal and RSA
> would take issue with the regestries useing it for commercial purposes.
> This is why NSI uses viacrypt, I do believe Viacrypt is not exportable from
> the USA.

This is a complicated subject.

1) Some way of authenticating registrars is absolutely necessary.

2) PGP is the single most widely available digital signature product 
available. There are other products, but no other is as likely to be 
available to a registrar in a foreign country.

3) PGP has some internet standing -- informational RFCs, PGP/mime, etc.

4) PGP is used only for authentication, not encryption.  In some 
jurisdictions that makes a difference.

5) Countries that completely forbid encryption are going to have a 
hard time doing lots of internet stuff -- eg secure DNS.

6) Commercial versions of PGP interoperate with the PD ones.  PGP, 
Inc purchased Viacrypt, and will be marketing PGP under their own 
name.  Of course, a registrar would use a commercial version if it 
was an issue.  Internationally they would have to, currrently.  
Current Viacrypt PGP interoperates with international versions.

7) The licensing issues are extremely complex, but use of a 
commercial version of PGP in the US and an international one 
externally will probably work.

8) Any commercial secure database is not going to be exportable.  Any 
authentication mechanism you build on top of it is going to be 
an export issue as well.

[...]

> 
> Lastly the use if pgp via pipes o FIFOs is still a bit more unreliable, and
> slow bring transactions to 1/20 of what they could be w/o using pgp.

It's true that running PGP that way really slows things down. 
However, the number of transactions involved is far, far less than it
would be with a full fledged database -- basically 2-3 invocations of
PGP per domain name creation, and no other traffic.  You could create
a thousand domains a day and not have performance be a significant
issue.

BTW,  the new version of PGP under development by PGP, Inc has an API that 
could be licensed.  There will undoubtedly be conforming 
implementations internationally.

> IMHO the IAHC and CORE should not premote the use of technology that
> would be illegal for a registry and/or an individual to use. The technology
> used to run the CORE db shold not incur any legal issues for its use.

If you want to be able to authenticate registrars you have legal 
issues.  If you don't authenticate registrars you have other problems 
to deal with.

-- 
Kent Crispin				"No reason to get excited",
kent@songbird.com,kc@llnl.gov		the thief he kindly spoke...
PGP fingerprint:   5A 16 DA 04 31 33 40 1E  87 DA 29 02 97 A3 46 2F

References:
- Public key crypto
  - From: "Rick H. Wesson" <wessorh@ar.com>

Prev by Date: Re: 60 day period
Next by Date: Re: Public key crypto
Prev by thread: Re: Public key crypto
Next by thread: Re: Public key crypto
Index(es):
- Date
- Thread