[Previous] [Next] [Index]
[Thread]
Re: What's the netscape problem
Netscape Commerce server certificates use RSA key pairs generated by the
user, i.e. with "Netscape's shoddy random number genrator" (sic). All the
server running in "secure" mode need new RSA keys and certificates as noted
in the following excerpt from the official Netscape response.
"In addition, the current version of the Netscape Commerce Server has a
similar vulnerability during it's initial key-pair generation. Therefore, a
patch will be made available from Netscape and should be applied by Commerce
Server customers to generate a new key pair and server certificate."
Stephen A. Mattin
Delphi Internet Services
Cross Point, 1 Industrial Ave
Lowell MA 01851
stephen@delphi.com
On Thu, 21 Sep 1995, Osvaldo Ramon Sabina wrote:
> +-- marcvh@spry.com (Marc VanHeyningen) once said:
> |
> | ...
> | This would mean merely getting a fixed server would be insufficient; every
> | Netscape server user would need to generate a new keypair, get a new Verisign
> | certificate, and revoke the old one.
> |
> | (Oops, wait, there's no way to revoke the old one. I guess you just have to
> | hope nobody does this before all those certificates expire.)
>
> I'm not claiming to be the authoritative on this, but as I understand it:
>
> The server keypair is an RSA keypair which is generated and certified by some key
> certification authority (e.g. RSA). This is where the certificate comes into
> play. I honestly don't think that Netscape's shoddy random number genrator in the
> client and server software has anything to do with the original RSA keypair, so
> they should be unaffected.
>
> Oz
>
> Ozzie Sabina
> Univ of Fla CISE Department
>
References: