Monoculture

Jill Ramonsky Jill.Ramonsky at aculab.com
Thu Oct 2 09:21:29 EDT 2003 

Thanks everyone for the SSL encouragement. I'm going to have a quick 
re-read of Eric's book over the weekend and then start thinking about 
what sort of "easy to use" implementation I could do. I was thinking of 
doing a C++ implentation with classes and templates and stuff. (By 
contrast OpenSSL is a C implementation). Anyone got any thoughts on 
that? Also - anyone thinking of using something like this - could you 
post (in another thread maybe) suggestions as to what kind of "simple" 
interface you actually want? As in, what you want it to do? All 
suggestions gratefully considered, but in the light of comments in this 
list, I will /not/ turn it into bloatware just to satisfy all demands. 
(OpenSSL can do that). Finally - I'll need some help setting up a 
sourceforge thing as I've never set up an open source project before and 
don't really know how to go about that. Some advice on licensing 
wouldn't go amiss either. (GPL? ... LGPL? ... something else?)

Re Don's comments below:

This seems to me to a /serious/ flaw in the design of MSIE. What if 
Alice doesn't /have/ a CA because she can't afford their fees? (or she 
doesn't trust them, or for any other reason you might care to think of). 
In fact, if I've understood this correctly, if Alice uses MSIE, she 
can't even tell her browser to trust her own website, despite being in 
possession of not only her own public key, but her own secret key as 
well! What is it with MSIE that it would prefer to trust someone other 
than Alice about the authenticity of Alice's site !!!???

Okay guys - _this is a serious question_. Alice has a web site. Alice 
has a web browser which unfortunately happens to be MSIE. Alice wishes 
to view Alice's web site using Alice's browser (which is not on the same 
machine as the server). Alice does not wish to trust ANYONE else, but 
she does trust herself absolutely. How does she get the browser to 
display the padlock?

I wouldn't be at all surprised if the answer turns out to be "It can't 
be done". (That may not be a problem if other browsers don't have this 
design flaw, of course, since Alice can tell all of her friends "don't 
use Microsoft").

Jill


 > -----Original Message-----
 > From: Don Davis [mailto:don at mit.edu]
 > Sent: Thursday, October 02, 2003 1:26 PM
 > To: Jill Ramonsky
 > Cc: cryptography at metzdowd.com
 > Subject: RE: Monoculture
 >
 >
 > > Is it possible for Bob to instruct his browser to
 > > (b) to trust Alice's certificate  (which she handed
 > >     to him personally)? (And if so, how?)
 >
 > how it's done depends on the browser:
 >
 > in MSIE 5:   Edit > Preferences.., > Web Browser >
 >              Security > Certificate Authorities
 >
 >             (there seems to be no way to tell MSIE 5 to
 >              trust Alice's server cert for SSL connections,
 >              except to tell MSIE 5 to trust Alice's CA.)
 >


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list