On Apr 29, 2014, at 12:28 PM, Thierry Moreau <thierry.mor...@connotech.com> wrote:
> On 2014-04-29 18:18, ianG wrote: >> On 29/04/2014 19:02 pm, Greg wrote: >> >>> I'm looking for a date that I could point to and call the "birth of >>> modern HTTPS/PKI". >>> >>> There is the Loren M Kohnfelder thesis from May of 1978, but that's not >>> quite it because it wasn't actually available to anyone at the time. >>> >>> Perhaps an event along the lines of "first modern HTTPS implementation >>> in a public web browser was released", or something like that. >>> >>> Any leads? Maybe something from Netscape's history? >> >> >> Yes, 1994, when Netscape invented SSL v1. Which had no MITM support, >> which was then considered to be a life and death issue by RSADSI ... >> which just happened to have invested big in a think called x.509. And >> the rest is history. >> >> Some commentary here, which is opinion not evidence. >> >> http://financialcryptography.com/mt/archives/000609.html >> > > I guess the historic gap between Loren Kohnfelder thesis and Netscape SSL > development has to be filled with due consideration of the OSI development, > and notably the Network Layer Security Protocol (NLSP). > > Prior to the domination of IP protocols, the "information highway" was > expected to be secured with the NLSP over an X.25 backbone. No. NLSP had two modes, connection-less and connection oriented. I was one of the authors … The connection oriented never went very far. NLSP was essentially the SP3 protocol developed as a research effort with NSA funding for a complete suite of protocols using public key based authentication in the Secure Data Network System (SDNS) project. it was the late 80’s and at the time NSA encouraged open publication of the work. NIST published the effort as the “SDN” series (e.g. SDN.301 for layer 3 security). The same work went into ISO (as NLSP) and the IETF. The SP3 and KMP were starting points of the IPsec work. In hind sight, the KMP specification is much better than what we ended up with IKE. However, some good improvements were added in the process. It’s interesting that I can not find any of the NIST published SDN specification on the NIST site :-( More digging required. The Message Security Protocol (MSP) work was also a SDNS effort for secure email. When taken public this morphed into our current Internet email security. Paul > > The payment industry was investing in SET (Secure Electronic Transactions), > and the Netscape SSL was first perceived as a childish attempt for a quick > and (very) dirty short term solution. > > Even then, in my understanding, there would still be a gap between Loren > thesis and the NLSP development. I have some clues that the Digital Equipment > DecNET protocols would fill this gap. > > Don't look at Microsoft. By 1995, their only IT security commitment seemed to > be for a facsimile security protocol (even devoid of public key crypto). > (This should have been a prior art against Data Treasury cheque imaging > patent battle, but that's another lllooonng story.) > > In retrospect, the ASN.1 based X.509 security certificate has been salvaged > from the OSI effort thanks to Verisign dedication to license their patents > for some IETF protocols on easy terms. > > Lotus Notes security is special because it evolved from an RSA technology > license acquired prior to RSADSI, and they use certificates without the > ASN.1/X.509 paradigms. > > Regards, > > - Thierry Moreau > _______________________________________________ > cryptography mailing list > cryptography@randombit.net > http://lists.randombit.net/mailman/listinfo/cryptography _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
