[cryptography] Request - PKI/CA History Lesson

Greg greg at kinostudios.com
Tue Apr 29 16:45:03 EDT 2014

On Apr 29, 2014, at 1:18 PM, ianG <iang at iang.org> wrote:

> Yes, 1994, when Netscape invented SSL v1.  Which had no MITM support,
> which was then considered to be a life and death issue by RSADSI ...
> which just happened to have invested big in a think called x.509.  And
> the rest is history.
> Some commentary here, which is opinion not evidence.
> http://financialcryptography.com/mt/archives/000609.html

Fascinating. I especially liked the timelines there, thanks for the link!

I'm now slowly coming to the conclusion that my search for a specific "birthdate" of modern PKI might be in vain.

The way I phrased it in an email to Peter was:

Do you happen to know of the date of the following event: when did the first publicly available web browser successfully connect over HTTPS to the a publicly available HTTPS website, and have the website's certificate validated by a CA in the same manner as it is done today?

..if that's not available, then simply the date of the release of the first implementation of HTTPS?

There's also this little timeline graphic from the link:

Then there's the wiki: https://en.wikipedia.org/wiki/Transport_Layer_Security#History_and_development

Which says:

The SSL protocol was originally developed by Netscape.[10] Version 1.0 was never publicly released; version 2.0 was released in February 1995 but "contained a number of security flaws which ultimately led to the design of SSL version 3.0."[11] SSL version 3.0, released in 1996, was a complete redesign of the protocol produced by Paul Kocher working with Netscape engineers Phil Karlton and Alan Freier. Newer versions of SSL/TLS are based on SSL 3.0. The 1996 draft of SSL 3.0 was published by IETF as a historical document in RFC 6101.

And there's the x509 wiki: https://en.wikipedia.org/wiki/X.509#Public-Key_Infrastructure_.28X.509.29_Working_Group

The The Public-Key Infrastructure (X.509) working group (PKIX) was a working group of the Internet Engineering Task Force dedicated to creating RFCs and other standard documentation on issues related to public key infrastructure based on X.509 certificates. PKIX was established in Autumn 1995 in conjunction with the National Institute of Standards and Technology.[17]

So... it sounds like Netscape either had a publicly available implementation of "modern PKI" before, or at about the same time as the standards were being published.

In that case, while there doesn't appear to be a precise date, the birth year at least seems to be 1995. This monstrosity was born sometime late 1995.

Is that about right? Or would I be mistaken to call that the birth year?

Thanks much for the history lesson and fascinating references!

- Greg

Please do not email me anything that you are not comfortable also sharing with the NSA.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20140429/d3b2812f/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gp8.png
Type: image/png
Size: 10352 bytes
Desc: not available
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20140429/d3b2812f/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20140429/d3b2812f/attachment.asc>

More information about the cryptography mailing list