[Previous] [Next] [Index]
[Thread]
Undeliverable message
Your message could not be delivered for the following reason:
Mailbox 75162.3375 is currently full.
Please resend your message at a later time.
--- Returned message ---
Sender: owner-www-security@ns2.rutgers.edu
Received: from ns2.rutgers.edu (ns2.rutgers.edu [128.6.21.2]) by arl-img-7.compuserve.com (8.6.10/5.950515)
id SAA15145; Wed, 17 Jul 1996 18:43:06 -0400
Received: (from daemon@localhost) by ns2.rutgers.edu (8.6.12+bestmx+oldruq+newsunq/8.6.12) id PAA13782 for www-security-outgoing; Mon, 15 Jul 1996 15:20:01 -0400
Received: from hp.com (hp.com [15.255.152.4]) by ns2.rutgers.edu (8.6.12+bestmx+oldruq+newsunq/8.6.12) with ESMTP id PAA13570 for <www-security@ns2.rutgers.edu>; Mon, 15 Jul 1996 15:09:55 -0400
Received: from hpfsvr01.cup.hp.com (allan.cup.hp.com) by hp.com with ESMTP
(1.37.109.16/15.5+ECS 3.3) id AA297767769; Mon, 15 Jul 1996 12:09:30 -0700
Received: from allan by hpfsvr01.cup.hp.com with SMTP
(1.37.109.15/15.5+IOS 3.20+cup+OMrelay) id AA043137762; Mon, 15 Jul 1996 12:09:22 -0700
Message-Id: <31EA9761.2722@cup.hp.com>
Date: Mon, 15 Jul 1996 12:09:21 -0700
From: Gene Ingram <gene@hpfsvr01.cup.hp.com>
Reply-To: www-security@ns2.rutgers.edu
Organization: Hewlett-Packard Co.
X-Mailer: Mozilla 3.0b4 (X11; I; HP-UX A.09.05 9000/720)
Mime-Version: 1.0
To: www-security@ns2.rutgers.edu
Subject: Security/Privacy of Certificates in Netscape 3.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-www-security@ns2.rutgers.edu
Precedence: bulk
Errors-To: owner-www-security@ns2.rutgers.edu
Hi,
I just got a free certificate from Verisign for Netscape and now
wonder if anyone can use a method to query my certificate in
similar fashion to previous bugs where a user could query the
email address? The Verisign certificate contains your name,
address, and level 2 even contains your SOCIAL SECURITY NUMBER
and BIRTHDATE among other sensitive info.
Let's say the latter info is not in the certificate, just the
name and address to keep this discussion from getting
sidetracked. Is there a way for a web page to run a Java
script or query on the certificate, let's say, for the NAME of
certificate holder and maybe other info, similarly to how there
was a way to get the email address before they closed that
hole)? I'm concerned as I don't want to give snoopy marketers
more info about me than I already have by just surfing the web!
Also it really kills me how for a free ONE MONTH certificate
I must give out my social security number and driver's license
(and birthdate) among other things, THEN when I am done I am
asked for a credit card number and assured this is for
verification purposes only (not to be charged)! At this point
I stopped and closed the browser, deciding against a free
certificate that expires at the end of August 1996.
Gene
--
___
| ._ _ ._ _.._ _ ``I do not fear computers
_|_| |(_|| (_|| | | I fear lack of them.'' -Isaac Asimov
_____ _| _______________________________________________________
Key fingerprint: 93 E1 15 E6 35 BC B2 84 B2 7B 39 76 29 72 32 72
[Signature lettering created by ``Figlet Ascii Font Converter''
http://mediacube.datacom.de/cgi-bin/moniteurs/figlet]