Welcome!

[Roxanne Reid-Bennett]

Arthur Corliss wrote:
>[...] 
> That's right.  Kind of annoying not to have the same freedoms than the
> Outside.  :-P

Well, that's the rich international patent registration field vs US NSA
regs you're talking of.  RSA isn't allowed to export the technology, so
of course they can't have a patent on it outside the US <veg>

> 
> > You can also attempt to build SSLeay w/o the RSA crypt stuff - but I
> > haven't tried that.
> 
> What other algorithms would be usable, then, and how widely supported by
> browsers?  I wouldn't have that the mainstream browsers would support much
> more than RSA.

Frankly, I'm not sure.  However... The SSLeay doc itself indicates that
you can use IDEA (easily hacked) or triple DES (paranoid minded) instead
of the RSA techniques. I've noted with the interface that I'm playing
around with more often than not (what little I paid attention to it),
the SSLeay interface to Netscape Commercer Server picked triple DES.
[it's a "auto-magically selected encryption algo depending upon what
each side speaks"]

That's about how much I know.  There is a list of options for encryption
that goes along these lines (for SSLeay): (from the README)

>	DES (1, 2, and 3 key versionf of ecb, cbc, cfb, and ofb; pcbc
>       and a more general form of cfb and ofb) including desx in cbc
>       mode.
>>         RC4 encryption,
>         RC2 encryption          - 4 different modes, ecb, cbc, cfb and ofb.
>         Blowfish encryption     - 4 different modes, ecb, cbc, cfb and ofb.
>         IDEA encryption         - 4 different modes, ecb, cbc, cfb and ofb.
>   Digests
>         MD5 and MD2 message digest algorithms, fast implementations,
>         SHA (SHA-0) and SHA-1 message digest algorithms,
>         MDC2 message digest.  A DES based hash that is polular on smart cards.
> 
>   Public Key
>         RSA encryption/decryption/generation.  There is no limit
>                 on the number of bits.
>         DSA encryption/decryption/generation.   There is no limit on the
>                 number of bits.
>         Diffie-Hellman key-exchange/key generation.  There is no limit
>                 on the number of bits.
> 
>   X509v3 certificates
>         X509 encoding/decoding into/from binary ASN1 and a PEM
>                 based ascii-binary encoding which supports encryption with
>                 a private key.

I am *not* a crypt knowledgable person, so most of this is Greek to me.
I did read a short lesson on cryptography for net transactions that
explained some of the issues around trusted servers (hence the need for
certificates from known issuers), spoofing, trojan, and other ways that
people can get in the middle of a conversation and wreak havoc.  

I'm trying to keep my interface to a minimum, namely using layered perl
products on an already installed version of SSLeay (with an already
purchased license) for a customer who has purchased the right to use
that version of SSLeay through the web interface. I've told my customer
that I'm not 100% certain he's legal, even with this...the only way I
know for him to be sure would be to contact RSA directly.

Rox
-- 
Roxanne Reid-Bennett                       rox at tara-lu.com
President, Tara-Lu Corporation     http://www.tara-lu.com/