SCN: Re: OPS: A Preliminary Review of SSL

Randy Groves randy at scn.org
Thu Mar 2 09:43:46 PST 2000 

I think we're getting off track here.  There is NO NEED to worry about
user certificates here.  The ONLY thing that we need to do is enable Lynx
to verify a site's SSL certificate to establish an encrypted session.
This is what is known as an 'anonymous' SSL connection.  The host is the
only part of the connection that is supplying a certificate.  Typically,
there isn't even a request to the browser user to verify that they want to
accept the certificate.

If we get into CLIENT authentication, then we start to worry about
security of certificates, but not before.

-randy


On Thu, 2 Mar 2000, J. Johnson wrote:

> Taking Andrew's comment first, there is nothing about SCN's "platform"--
> meaning hardware or operating system--that precludes encryption services
> such as SSL.  The reason such services are "unsuitable for SCN" (at least
> at the current time) can be taken from Rod's comment:  "responsibly run". 
> 
> As I pointed out in the original post to the 'hardware' list, it is ill
> advised to run any kind of encryption service on a multi-user networked
> host.  Not that it cannot be done, for nearly any fool can fire up a web
> server, call it "secure", and offer services.  But to do so responsibly
> (to not cruelly deceive people with a parody of security)  requires an
> attentiveness to security that SCN has just not been able to attain.
> 
> Rod asks, "What exact steps would SCN have to undertake before it could
> run LynxSSL with good results?"  I don't know.  The best approach might be
> to just do PPP, and let the users do SSL on their own machines (with SCN
> being just a conduit).  As to PPP:  well, I think I could turn it on in
> about twenty minutes.  But Rod did say, "with good results", and that
> depends on a lot of other work, so again:  I don't know.  I wanted to work
> on a key element of that tonight, but once again the several hours I had
> for SCN have just slipped away.
> 
> What's to be done?  I don't know.  While technical work is involved, the
> failure to get it done seems to be non-technical.  There are certainly
> problems in Operations--even if we are upaid volunteers I think we should
> be doing better.  I would very much like someone (Andrew? Rod?) to
> "consult"  with some other freenets and see how they get work done with
> unpaid staff.  But I think we also have organizational problems
> (especially when I consider how much time I put into non-technical issues
> here).  And that is a Board issue--which the Board refuses to address. 
> 
> So what can I tell you?  That I'm working on it, go bug someone else?
> That your expectations outreach our capabilities?  Or go find out how
> how other freenets do and tell me?  Or that we will have grown-up services
> when we grow up?  After several hours of cogitation:  I still don't know.
> 
> (And I hope the rest of you can carry this discussion without me because I
> really would like to do the technical stuff instead.) 
> 
> === JJ =================================================================

* * * * * * * * * * * * * *  From the Listowner  * * * * * * * * * * * *
.	To unsubscribe from this list, send a message to:
majordomo at scn.org		In the body of the message, type:
unsubscribe scn
==== Messages posted on this list are also available on the web at: ====
* * * * * * *     http://www.scn.org/volunteers/scn-l/     * * * * * * *

More information about the scn mailing list