Re: SSL Replacement

[Stig <stig@hackvan.com>]

Content-Description: SSL Replacement
> 			Replacement for SSL v0.02
> 			Copyright(c) Jim Bresler 1997
> 
> 	Hi, I was thinking about the patent and I had an idea of an alternate
> to SSL.  Any comments would be appreciated, as this is a early draft.  This
> relies on a set of certificates being secure, which this entire system will
> depend on.  The technique described here can be implemented without using
> any patented algorithms.
> 
> 	Basically, the idea is that each server host is assigned a DSA 
> key that must be assigned by a certificate authority.  Note that if a 
> certificate authority signs another certificate authority, they are considered 
> a certificate authority.
> 
> 	Whenever a certificate authority signs a normal server certificate,
> it MUST include an IP address in this structure.  If this is not done, a
> man-in-the-middle attack is trivial.  Although not required for the protocol,
> it should include the name of theh key holder and the company name.

This is not necessarily desirable.  If you've got a man-in-the middle,
then you're talking to a different IP address anyway (proxy) and you're unable
to verify the IP address of the server.  It doesn't buy you any extra security
and so you're just making things more complex for potential
vendors...businesses move, you know.  This also makes the protocol asymmetric
and that's not desirable either.

To some extent, SSL is just a stopgap for secure IP.  And secure DNS (with a
public key for the host served up by DNS) is on the way as well.

The rest should be run by cypherpunks as I'm not up on the semantics of DSAsign.

	stig