Hello, I'm Ralf, I am a secure solutions designer.

Instead of boring you with details of my life, I want to tell you a story that has been the foundation for what I'm doing now.

Some twenty years ago, in the early nineties, I happened to teach science and informatics at an adult education institute in Germany. At the time the internet was a rare thing, commercial internet access was charged at a considerable sum per hour and the modems made that shrieking noise and were desperately slow.

I was convinced that the internet has to be a major subject in the institute and that I had to show the real thing to my students, to work with. At that time the internet had been well established at the university nearby, so I went to the computer science department and asked Gerd, the one in charge of all the cables in the department, if he could provide me with internet access for my institution.

The answer was a sound NO.

His refusal came as a surprise to me, because I thought he would appreciate my attempt to get the internet in front of the eyes of my students, who will eventually become the backbone of information technology experts in the future.

From his perspective it was a totally different story, some well-intended post-grad asks for an extension of the university network into his institution, an appendix, Gerd himself would be held responsible for.

Then it got personal

But I was not prepared to give up, so I stressed the importance of using the internet in my classes and Gerd started to quizz me about information security. How would I ensure that the access would not be misused?

The funny thing was, that every answer I gave turned into the starting point to another question. Gerd made it crystal clear to me that I was not prepared to live up to the promise of making abuse technically impossible. He made me familiar with the mindset of an adversary looking for a hole in the setup and he was the one who made me security aware. He also sparked my interest in UNIX. As a consequence, I learned to love information security as the one most interesting thing I needed to know about.

I cannot thank Gerd too much for this lession in computer security.

The grilling continued on my further visits to Gerd's department, but after a while I walked away with the access code for a dial-in connection and a subnet of the university's class B IP address space under the condition that I personally will be responsible for everything that happens when the connection is used, come hell or high water.

I hope you'll understand how carefully I tried to establish the use of my new crown jewels in the institution, fighting off demands of "free access" by colleagues, that would compromise my efforts to establish web security. And I learned a lot in the process.

Encryption

Linux was not on my radar at the time while I used SCO UNIX to run the connection to the university. But the licence costs really did bite and threatened to render the project unsustainable. So in the mid nineties I switched to Linux which had become stable and promising, kissing SCO good-bye for good.

By then a software called PGP was the talk of the town in security circles. Using strong encryption for email promised to be a big step forward to establishing reliable web security. The fact that PGP was treated similar to weaponry in the US, there were export controlls imposed on encryption software, led to a more open approach in Europe, where PGP was seen as an effective tool to make information security happen on a wide scale.

It was around this time that the German Research Network in Hamburg started to tackle the problem of key management for PGP. The idea was to establish a network of institutions who would certify PGP keys all over the country under the supervision of the DFN-PCA in Hamburg. Of course I joined the initiative and ran a CA for a couple of years, signing PGP keys for ordinary people free of charge.

Based on my practical use of PGP, I started to engage in cryptographic research and published my findings on my personal web site.

Going public

In summer of 2000, I had a look at the new key format PGP had introduced. In Europe a number of researchers voiced concerns about the new ADK feature that were routinely being ignored in the US, the home of PGP. This ignorance motivated me to look closer into the new PGP version and I discovered a serious problem with the way additional keys could be added without a user's consent. By then the GnuPG project had been started in Europe as a reaction to all the trouble with commercial PGP.

It became clear that email encryption had developed a complexity that made it unsuitable for the ordinary user. "Why Johnny can't encrypt" made the title of a research paper that summed it up nicely.

In the early years of the new millenium, the internet exploded and the expectation was that web security will become more and more important for every business online, so I began to help businesses to extend their websites with secure online services and helped to secure their servers.

And that's what I still do today.