Re: Security/Privacy of Certificates in Netscape 3.0

• To: www-security@ns2.rutgers.edu
• Subject: Re: Security/Privacy of Certificates in Netscape 3.0
• From: Jeff Weinstein <jsw@netscape.com>
• Date: Thu, 18 Jul 1996 02:20:29 -0700
• Organization: Netscape Communications Corp.
• References: <31EA9761.2722@cup.hp.com>
• Reply-To: jsw@netscape.com

Gene Ingram wrote:
> I just got a free certificate from Verisign for Netscape and now
> wonder if anyone can use a method to query my certificate in
> similar fashion to previous bugs where a user could query the
> email address?  The Verisign certificate contains your name,
> address, and level 2 even contains your SOCIAL SECURITY NUMBER
> and BIRTHDATE among other sensitive info.
> 
> Let's say the latter info is not in the certificate, just the
> name and address to keep this discussion from getting
> sidetracked.  Is there a way for a web page to run a Java
> script or query on the certificate, let's say, for the NAME of
> certificate holder and maybe other info, similarly to how there
> was a way to get the email address before they closed that
> hole)?  I'm concerned as I don't want to give snoopy marketers
> more info about me than I already have by just surfing the web!

  Your certificate will only be delivered to a remote site as
part of an SSL client authentication.  It is not accessible to
Java or JavaScript.

  In the current beta, when you connect to a web site with SSL,
and the site requests client authentication, the user is prompted
to select a certificate to send, and can cancel the connection
at this time.

  The final release of 3.0 will have several more options for
choosing a certificate to send when a site requests client auth.
The three options are:

	1) always ask user(this is the default) - same as the
		behaviour of the current beta
	2) automatic selection - The SSL 3.0 protocol allows the
		server to send a list of CAs that it will accept
		user certificates from.  When this option is
		enabled, the navigator will try to select one of
		your certificates that the server will accept.
	3) send a user specified cert - This option allows the
		user to select a certificate to send by default.

> Also it really kills me how for a free ONE MONTH certificate
> I must give out my social security number and driver's license
> (and birthdate) among other things, THEN when I am done I am
> asked for a credit card number and assured this is for
> verification purposes only (not to be charged)!  At this point
> I stopped and closed the browser, deciding against a free
> certificate that expires at the end of August 1996.

  The whole point of the Class 2 certificate is to verify your
identity.  While verisign uses information such as your social
security number and drivers license number to verify your identity,
they do not include that information in your certificate.

  If you are uncomfortable giving them all of this information,
you can get a class 1 certificate, which only requires your
e-mail address.

	--Jeff

-- 
Jeff Weinstein - Electronic Munitions Specialist
Netscape Communication Corporation
jsw@netscape.com - http://home.netscape.com/people/jsw
Any opinions expressed above are mine.

• Re: Security/Privacy of Certificates in Netscape 3.0
• From: Patrick Richard <patr@x509.com>
• Default Certificates, was --> Re: Security/Privacy of Certificates in Netscape 3.0
• From: "Jason S. Smith" <jason@mitre.org>

• Security/Privacy of Certificates in Netscape 3.0
• From: Gene Ingram <gene@hpfsvr01.cup.hp.com>

• Previous: RE: cookies and privacy
• Next: RE: Need help! Regarding internet securi
• Index(es):
  • Index
  • Thread