Certificates, SSL, Verisign etc

• To: www-security@ns2.rutgers.edu
• Subject: Certificates, SSL, Verisign etc
• From: "John Hemming CEO MarketNet" <JohnHemming@mkn.co.uk>
• Date: Sun, 01 Oct 1995 09:44:46 AM PDT

I am looking forward to finding out how Netscape 2.0 deals with the
certification process. 

We have been told that alternative CAs (Certification Authorities) 
will be allowed (without a hierarchy from Verisign/RSA/Netscape).  
I hope this is exhaustively true.

Furthermore the issue of the "man in the middle" attack in respect
of signed certificates for the wrong organisation is pertinent.

At the end of the day there are many many machines that are the
A record for a number of different Domain Names.  I do not think it
is reasonable for the browsers to validate that against the 
CN (Canonical Name) or CNs in the certificate in a manner such 
that the link fails if they disagree.

I am also not clear that multiple CNs would parse reasonably in the
X509 certificate.   

It is reasonable to make the CN in the Cert more obvious.  I am slightly
at fault in that my own browser does not do this .... yet. However, it
will be interesting if Netscape 2.0 makes it more obvious or not.

Realistically, however, the regulatory issues are far more important
than the identity issues.  The fact that I am dealing with the correct
organisation does not help if they are a shell company.

• Previous: Re: NetScape's dependence upon RSA down for the count!
• Next: MITM attacks, the day after ...
• Index(es):
  • Index
  • Thread