In the following paragraphs we will try to give a textual explanation of the poster presentation to be held in Helsinki during EUNIS'99.
We describe the two most important standards in Secure Data Transmission: SSL and PGP, and we enumerate some recommendations done for their implantation within the University of Las Palmas de Gran Canaria. Some details about the implementation are also given.
The drawbacks arising from the splitting of the implementation in two somehow competing standards, as much as the legal problems that rise due to the export restrictions of strong cryptographic software, have meant a brake in the necessary process of integration of these technologies in the application of Information Technologies, not only within the institutions but also in the communication among private individuals.
One of the areas that right now seem immune to the "Information Technologies Tide" is the academic bureaucracy. An academic institution as the University of Las Palmas de Gran Canaria deals each year with hundreds of thousands of documents (certifications, marks, listings, official communications and notifications) that right now, getting into the 21th century, have not been homesteaded by those technologies. This is due mainly to the lack of a strong standard regarding electronic signatures and individual identification and authentication, which are particular aspects of a bigger issue known as Secure Data Transmission (SDT).
In the present level of development of digital electronic communication, and as the trends indicate for the near future, the use of these facilities are becoming more and more important. They will play a predominant role, as the general public becomes more aware of its necessity and implications in everyday life.
Within Secure Data Transmission, we can distinguish two main issues: electronic signature of documentation (that provides authentication, which means the guarantee that the document has been produced -and not modified during transmission-by the signer) and encrypted channels of communication (which regards confidentiality of this communication). It is not difficult to envision the wide range of applications that both issues can have within the environment of an academic institution: signed academic certifications, authorizations, sensitive documents transmission i.e.: tests, marks, etc. In any case, it will mean an enormous saving in paper, time and money expenses.
There are right now two prevailing standards for Secure Data Transmission. The first one, with a vertical layout, is based on Certification Authorities (CAs) and popularized by Netscape and also adopted by Microsoft, which is implemented by Secure Sockets Layer (SSL) and its sequel TLS. The second one, with a horizontal approach, based on what is called "Web of Trust", is implemented by Phil Zimmermann's Pretty Good Privacy (PGP) and its sequels.
In the following paragraphs we will describe some proposals that have been made by the security committee of the University of Las Palmas de Gran Canaria for the adoption and widespread use of SDT techniques in the institutional environment.
In our particular environment, and taking into account the former considerations, we can identify two main scenarios for Secure Data Transmission (inside-outside and inside-inside) linked with two important families of electronic tools (mail and news in one of them, and Web-based applications on the other one). Thus the necessity of maintaining both schemes (SSL and PGP) to foster the widest interoperability.
Regarding SSL, the first recommendation was to setup a Certification Authority (ULPGC-CA) linked with the CA provided by the Spanish Academic Network, RedIRIS (CA-REDIRIS) to be able to transparently interoperate with other RedIRIS associated entities (all the universities in Spain, along with many other academic, research and government institutions). The deployment of this CA will permit the emission of server and personal certificates with validity in the whole range covered by RedIRIS and fostering a future integration with other similar Research and Academic networks in the European Union and the rest of the world.
The procedure for obtaining personal and server certificates can be accomplished with open source tools that are available in the Internet and that can be configured to minimize the hassle and burden for the final user. These tools are mainly based on Web interfaces, and are normally very easy to deploy and maintain.
The applications that will take advantage of these facilities are mainly related with Web-servicing and with the use of mail and news applications supporting S/MIME standard. One important observation is that, due to the export restrictions for cryptographic material in USA and Canada, the international version of Netscape Web Browser is "crippled" in the sense that only supports "weak" encryption (40 bit). This limitation can be overridden by the use of "fortified" software (http://www.fortify.net) that "restores" the full cryptographic functionality of such browsers. There is not, up to date, an equivalent solution for Microsoft's Web Browsers.
On behalf of PGP standard, the University staff installed a global PGP keys server (http://pgpkeys.ulpgc.es:11371). This PGP server is using Horowitz's server modified to hold the global PGP database, which right now occupies about 2 Gb. Obviously, the enormous size of the database means a big problem in any kind of software dedicated to this service. There have been some proposals to develop a distributed database (à la DNS), i.e. using LDAP (Lightweight Directory Access Protocol) and even DNS extensions. Our University anonymous FTP server is also the official Spanish repository for international full operative versions of PGP client applications, for the most popular operating systems (ftp://ftp.es.pgpi.com/pub/pgp).
The main use of PGP in our University relates to news and mail also, ranging from authentication of control messages between news servers to private e-mail secure transmissions.
Finally, it seems that the most sensible implementation for a closed and controlled environment regarding Secure Data Transmission for the inner data flow could be CA based. There are, however, some drawbacks most of them dealing with legal export restrictions for strong cryptography involving Microsoft OS products. This way, it seems necessary to keep an eye on PGP evolution as this product has been legally exported and provides full strong cryptography to popular Microsoft environments, outside USA and Canada.
An integration of vertical and horizontal approaches considers the synergic use of both methods to give a plus in Secure Data Transmission. In the case of legacy applications, which are difficult or impossible to convert to SSL, the deployment of SSL Tunnels are recommended. There are been some bashful attempts to make both standards cooperate. The most important to date, in our opinion is Thawte's policy for PGP electronic signature based on CA services.
It is important that to promote the use of these facilities, both academic authorities and general users must be convinced and aware of the advantages that can be achieved in data transmission by this means. Hence the necessity to teach the common user the required skills in the use of this tools.
Finally, the plethora of "legal quirks" (USA ITAR regulations, France ban to cryptographic applications and several other countries restrictions) mean an unnecessary and demagogic drawback in the development of these technologies.
One of the essential points related with the aforementioned utilities is the impact that they have in what we consider to be the "essential right to have privacy in the communications of all human beings". The technological facilities available to the governments and large corporations mean a threat to individual rights and liberties, as this governments (many of them non-democratic) and corporations can peep the communication between individuals. So, we fully subscribe the words and spirit of the speech of Mr. Zimmermann in the Senate of the United States of America: (http://www.nai.com/products/security/phil/phil-quotes.asp).