RE: Using Netsite Commerce Server with non-RSA certificate?

• To: www-security@ns2.rutgers.edu, jnm@ornl.gov
• Subject: RE: Using Netsite Commerce Server with non-RSA certificate?
• From: George Parsons <george@Verisign.COM>
• Date: Wed, 7 Jun 1995 11:40:07 -0700

I am the manager for RSA's Certificate services operations group.  A couple of comments and additions to what Jamey has presented.

> From owner-www-security@ns2.rutgers.edu Tue Jun  6 22:46:50 1995
> X-Sender: jnm@cosmail5
> Mime-Version: 1.0
> Content-Type> : > text/plain> ; > charset="us-ascii"> 
> Date: Tue, 6 Jun 1995 15:48:59 -0400
> To: www-security@ns2.rutgers.edu
> From: Jamey Maze <jnm@ornl.gov>
> Subject: RE: Using Netsite Commerce Server with non-RSA certificate?
> Sender: owner-www-security@ns2.rutgers.edu
> Content-Length: 3538
> 
> As a follow up to my original posting, the following is the response I got
> from Netscape:
> 
> >Currently, RSA is the only certificate authority who can provide Netscape
> >server certificates.  It is not possible at this time to set up a private
> >certificate authority for your own use, or to use a different certificate
> >authority to obtain your certificate from.
> 
We have been operating a commercial level CA/PCA for over two years.  This 
CA is for individuals.  We have been operating a secure server CA for over 
6 months.  This CA is for secure entities, including Netscape Commerce Servers.

Both of these Certificate Hierarchies are operating in an open/interoperable 
manner.  We have not "published" our policy statements in the RFC fashion but 
do have strict policies and procedures which govern the operation of these 
two domains.  We have issued Certificates for servers, companies, and 
individuals throughout the world.

> If I'd of read Netscape's documentation
> (http://home.mcom.com/info/netscape-security.htm) I would have known that:
> 
We are working on our web pages in the area of certification.  Stay tunned for more detailed and tutorial information.

> >The Netscape Navigator includes embedded Certificate Authority (CA) keys for
> >certain CAs, including our test CAs. As new CAs come online, we will embed
> >their keys as well. These embedded keys allow the Netscape Navigator to
> >verify the legitimacy of arbitrary servers. See the Document Information
> >dialog to inspect both the identity of a given server as well as the
> >identity of the CA that issued the server its certificate. SSL requires
> >servers to have certificates issued by a Certificate Authority; the
> >Netscape Commerce Server includes a mechanism to easily acquire such a
> >certificate.
> 
> Responding to a few comments...
> 
> At 9:10 AM 6/5/95, Bob Denny wrote:
> >Netscape's browser accepts only "real" Netscape certificates. Imagine
> >what would happen if "anyone" could run a server that successfully
> >communicated with Netscape Navigator? The average person won't check
> >the "Document info" and examine the certification of the server, so
> >if I ran a bandit server, hijaacked B of A's IP address, then put up
> >a bogus credit card application, I'd have a field day.
> >
> >Netscape and RSA carefully control the issuance of certificates that
> >are acceptable to the Navigator.
> 
> You have a point about the average user not knowing what's going on and
> possibly being dupped. But if I were a bad guy and wanted to dupe local
> users, since they get their copies of Netscape Navigator from my
> organization, I probably could do it with or without an RSA certificate (if
> I were able to embed my CA's certificate in the Navigator). It seems that
> until users begin to understand a little about the certification process,
> the potential for such abuse is there. (Similar potentials exist in the
> current environment.)
> 
I could not agree more.  Members of this discussion group are, for the most 
part, very knowledgable with respect to crypto and certification.  We are a 
very small segment of the total audience that the web technology will reach 
very soon.  It is up to us as a group to seamlessly integrate public-key 
technology (including certification, into products and services for the web).
Easier said than done.

> At 5:45 PM 6/5/95, isaac j g wrote:
> >I'd be real suprised if you could do this with the commerce server since it
> >would require modification to the SSL protocol code and the notion of
> >doing this defeats the purpose of a central CA which SSL is based upon.
> 
> The notion of a central CA isn't sacred to me. In my situation, the RSA CA
> wouldn't be any more trusted than a locally administered CA.
> 
I understand Isaac's position.  Who guards the guard?  Our message and the 
value that we bring to the area of Certification should become more clear 
as time passes.  At this point we have not done an adequate job of raising the important issues and stating our solutions.  Again our web 
pages will be enhanced soon to educated all parties on these issues.

> At 7:59 AM 6/6/95, J. David Stanton, Jr. wrote:
> >If you haven't already acquired the "Commerce" server,
> >why not just get the "Communications" server, which is
> >both cheaper and doesn't have the authentication stuff
> >that it seems you're trying to avoid.
> 
> No, I'm not trying to avoid the "authentication stuff", but was hoping I
> could have used it without having to go through the process of getting an
> RSA certificate. (I would have setup my own CA and certified my own
> certificate.) The RSA process requires that some legal documents be
> provided. In my company, when you get lawyers involved, it'll certainly
> take a long time and chances are high it'll get caught on some legal snag
> and never happen.
>
We have, hopefully, set up a process that does not require the involvment of 
any organizations legal staff.  If a lawyer is necessary to find your 
organization's business license then I guess you'll have to get them 
involved.  We have not found this to be true in most (about 95%) of 
customers we have issued Secure server certificates to.

We have had some customer who have received their certificate approval in less than one working day.  It really depends upon how accessible the basic 
documents are within your organization.  Typically the process takes 5 working days. Reading our web pages regarding the process and following the steps 
presented will speed up the elapse time.
 
> Appreciate the discussion. It was helpful to me.
> 
> Thanks!
> 
> 
> --
> Jamey Maze              TEL: (615)574-6355  FAX: (615)574-8922
> Lockheed Martin Energy Systems / Oak Ridge National Laboratory
> P.O. Box 2008, MS-6394 / White Oak Road / Oak Ridge, TN 37831
> 
> 
> 

• Previous: Re: Any Implementation of S-HTTP available
• Next: No Subject
• Index(es):
  • Index
  • Thread