RE: [registrars] SSL Toolkit

["Jason Hendeles" <jason@dotpower.com>]

Jason Hendeles wrote:

I have been in dialogue with Verisign with respect to the SSL issues raised
by Len Bayles and others and have a few comments and questions.

Why do we need the 'toolkit'?  This kit is not necessary to facilitate SSL.
SSL licenses can be incorporated directly into the server, they don't need
to be build into the software or interface.  Registrars should just purchase
the standard 'Global' application for as many servers as is necessary to
facilitate their service.  The cost of this is less than $1,000 US per
license per server.

After consulting with Alan Goncalez of Verisign, the following infomation
was recieved about the standard Global SSL certificate:

Global Server IDs allow 40-bit browser users to get 128-bit encryption
without upgrading their software. The browser will automatically recognize
the global certificate and negotiate a 128-bit session.  The browser must
support the 128-bit 'Step-Up' technology. (See Below) If the browser does
not support 'Step-Up' the secure server will negotiate down to 40-bit.

'Step-Up' Compatible Browsers:
Netscape Navigator 4.0 or later
Microsoft Internet Explorer 4.0 or later
Microsoft Internet Explorer 3.02 with a special patch or later
Microsoft Money 98
Intuit Quicken

Secure Server IDs use the default encryption setting of the browser. All
international browsers and half of US based browsers have a default
capability of 40-bit. To obtain 128-bit encryption users of 40-bit browsers
must upgrade to a new 128-bit browser or connect to a website with a Global
Server ID.

Please let me know if you have further questions.

Best Regards,

Allen Gonzalez
Internet Sales
VeriSign, Inc.

Phone: (650) 429-5107
Fax: (650) 961-7300
Email: agonzalez@verisign.com
http://www.verisign.com



> -----Original Message-----
> From: owner-registrars@dnso.org [mailto:owner-registrars@dnso.org]On
> Behalf Of Len
> Sent: Monday, August 16, 1999 8:06 PM
> To: registrars@dnso.org; daveg@netsol.com; Louis_L._Touton@jonesday.com;
> mclaughlin@pobox.com; edyson@edventure.com; bburr@ntia.doc.gov;
> KROSE@ntia.doc.gov
> Cc: Len; Dan Limb
> Subject: [registrars] SSL Toolkit
>
>
>
> Greetings,
>
> 	We are in the process of selecting a SSL toolkit.  Because we are
> in the US we fall in to the "lucky group" that has to work out a license
> agreement with RSA.  This is very expensive from what I've just found
> out by talking with RSA.  (Min 15k)  That's on top of the software
> price of $2,500 or more. In 13 months this will no longer be an issue
> because the RSA patent will expire give all Registrars the same option
> of unlicensed use.  But in the mean time I believe it is a burden on
> small Registrars in the US.
>
> 	I would ask this:
>
> 		Is there another method, acceptable to NSI, that would
> 		provide the same level of security?
>
> 		Could this other method be available until Sept 22,2000?
>
> 		Are there issues that I am over looking?
>
> 	If there is no alternative, is there a possibility of a group effort
> on a single code base, for the SSL, that would qualify for a
> single license
> + royalties?  Since this does not go into the RRP code the NSI
> NDA should not
> be a problem. (Dave tell me if I'm wrong.)
>
> 	It's not my intention to cheat RSA out of their just
> rewards.  I would
> hope there is a less costly way to go about this whole process.
> I think 15k
> + 2.5k for a toolkit, that we still have to develop into an interface, is
> a burden.
>
> 	I hope this is a burden we can avoid.
>
> Thanks
>
> Len Bayles
> Project Manager All West Registry
> All West Communications
>