Path: utzoo!attcan!uunet!lll-winken!ncis.llnl.gov!helios.ee.lbl.gov!pasteur!ucbvax!VENERA.ISI.EDU!braden From: braden@VENERA.ISI.EDU Newsgroups: comp.protocols.tcp-ip Subject: Re: RSA Encryption on the Internet Message-ID: <8903222040.AA03642@braden.isi.edu> Date: 22 Mar 89 20:40:31 GMT Sender: daemon@ucbvax.BERKELEY.EDU Organization: The Internet Lines: 90 The New York Times reported today that the Internet has decided to adopt RSA as the basis for an authentication scheme. This was done after appropriate negotiations with RSA, Inc., concerning licensing. Can someone post the details, both technical and administrative? (It's odd to learn something significant about the Internet from the mundane media...) --Steve Bellovin att!ulysses!smb, smb@ulysses.att.com Steve, Yes, it certainly is odd. We (the IAB) are trying to improve the info flow, but we obviously have a distance to go. The general info was published in the Internet Monthly Report recently, but that is pretty much limited to the research community. I appending that announcement. The details will be covered in future (we hope not too distant future!) RFC's being prepared by the Privace and Security Task Force, Steve Kent, proprietor. Bob Braden (for the IAB). ____________________________________________________ ____________________________________________________ IAB REPORT -- February 1, 1989 This is the first of a series of reports on those decisions and actions taken by the Internet Activities Board that should be of general interest to the Internet community. The following items are decisions made at the January 1989 meeting of the IAB. A. Private Mail For several years, the Privacy&Security Task Force chaired by Steve Kent of BBN has been developing a scheme to add privacy to SMTP-based electronic mail. RFC's to be published soon will contain the final details of the plan for encapsulating encrypted text within SMTP messages (see RFC-1040 for an earlier draft) and the plan for key distribution. This scheme will (optionally) provide data confidentiality, origin authentication, per-message integrity, and non-repudiation by the originator, and is based upon public-key encryption using the RSA algorithm. Public keys will be bound to individuals by means of "user certificates", which will be issued by a private company, RSA Data Security Inc. The expected cost will be $25 for a user certificate valid for two years. The IAB reviewed this plan and gave the go-ahead to proceed with implementation in the Internet. Not everyone needs private mail, of course, but for those that do, this feature should allow Internet email to take on a new importance. B. The Worm Incident The IAB joined others in the community in expressing its deep concern about the recent Internet worm incident and the resulting public reaction. The IAB released a policy statement that has been published in RFC-1087, entitled "Ethics and the Internet." The IAB plans to take future steps to make the gateway protocols more secure against subversion and to improve the facilities for network managers to selectively isolate pieces of the Internet should such problems recur. C. Draft Documents The IAB believes that the Internet community is best served if there continues to be only one archival series of documents, the RFC's. To help prevent the erosion of this singularity, the IAB has decided that the IDEA series of draft documents maintained by the IETF will be replaced by a series of "Internet drafts". The new series is crafted to minimize inappropriate citations and to ensure that these drafts move forward into RFC's as quickly as possible. Details were announced by Phill Gross, chair of the Internet Engineering Task Force, at its January 1989 meeting. D. IP Security Option A vendor requested an IP Option for commercial security, where the contents of this option would be unstandardized and vendor-specific. The IAB felt strongly that IP options must be publically defined and documented, while that proprietary or privately-structured options are a bad idea. The IAB will initiate a broad-based effort to define a (commercial) security option for IP. Interested parties may contact Steve Kent (Kent@BBN.COM (617) 873 3988).