Re: Netscape Changes RSA tree

• To: Lee Neely <lkn@llnl.gov>, www-security@ns1.rutgers.edu
• Subject: Re: Netscape Changes RSA tree
• From: cwilson@spry.com
• Date: Thu, 20 Apr 95 08:28:11 -0800

On Thu, 20 Apr 1995, Lee Neely <lkn@llnl.gov> wrote:
>I just learned that Netscape added a new root to the RSA tree
>when they licensed the Digsig part of the netsite server.
>
> You see, if you're a current Certificate Authority
>(I am) and you wish to assign a Digital Certificate to Netscape, you can't.
>(Unless you pay RSA *MORE* money and upgrade your software, which isn't 
>really available yet.)  The alternative is to pay RSA for your certificate
>(yes, like everyone else!) and then get one from them.

EIT's Secure NCSA Mosaic for X and Secure SPRY Mosaic, both of which support 
Secure-HTTP, support the addition (in the client and the server) of new root 
certificates.  I have the impression (for some reason) that Netscape was going 
to allow this capability in the next major release of their browsers and server, 
at the same time as they add client-certificate support.

>While this seems minor, after all, I am only talking about one server;
>WHEN we get to version 1.5, which is supposed to support Certificates at
>the client level, we could be forced to pay for many certificates, outside
>of our current purchase arrangement with RSA.  Further, the potential
>exists for users to have to have TWO certificates.  One for their "regular"
>digitally signed documents, and one for Netscape.  And at $279, plus the
>browser, this is not a bargain!! *so much for a distinguished name that
>uniquely identifies you*

Heh.  That's true.  At the WWW conference last week, during the Security panel, 
an attendee said that their pet peeve is web services which require personal 
logins, since you end up having needless multiplication of logins.  However, 
Owen Rees of ANSA, who was on the panel, brought up the point that a user should 
not necessarily always have same set of access rules - the identification is not 
always ôthis is meö, sometimes it is ôthis is me, the person who fills this 
role.ö  An example given was the "Duty Officer" in the armed services - the DO 
is identified by their role, not their name.  Just food for thought.

I do agree that multiplication of keys due to different required rootings of the 
tree hierarchy is, in general, a bad thing.  The problem, though, is the issue 
of trust.  SPRY certainly wouldn't want to depend on Netscape to certify keys 
used by SPRY employees to authenticate for sensitive internal documents, vice 
versa.  The need for a "universally trusted" root exists, and the possibility of 
that being government-based gives me the willies.  I can't think of any party 
that could be said to be completely disinterested.  

-Chris Wilson

:::::::::::::::::::::<<< NETWORKING THE DESKTOP >>>::::::::::::::::::::
 Chris Wilson            	    Spry, Inc.
 WWW Technology Lead		    316 Occidental Avenue S. 2nd Floor
 Email: cwilson@spry.com	    Seattle, WA  98104
 Phone: (206) 447-0300		    FAX: (206) 447-9008
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

• Re: Netscape Changes RSA tree
• From: "Ron Daniel Jr." <rdaniel@acl.lanl.gov>
• Re: Netscape Changes RSA tree
• From: szabo@netcom.com (Nick Szabo)

• Previous: Netscape Changes RSA tree
• Next: Re: Credit Card Security
• Index(es):
  • Index
  • Thread