[Previous] [Next] [Index]
[Thread]
Re: Security/Privacy of Certificates in Netscape 3.0
Gene Ingram's recent message doesn't fully capture the VeriSign Digital ID
application and issuing process.
The only fields required to be in a Class 2 Digital ID are user name and
email address. Home address is optional. The Digital ID does not contain social
security number, birthdate or any other verification information. (The
enrollment pages say "This information is used to verify your identity; it
is kept confidential and NOT included in your Digital ID")
SSN and birthdate, among other things, are used to authenticate identity.
This is also why we request a credit card number. We don't charge credit
cards for services unless we state so EXPLICITLY. We indicate that our Class
2 Service is in beta and we state that we do not charge the applicant's
credit card. We do check the Equifax credit database, and we use the credit
card check to help authenticate identity.
The reason the expiration date is in August is that we're currently in Beta and
tied to the browser manufacturer's schedule. We appreciate the feedback that
all users have given us during this beta phase. When the product is final we
will be able to offer longer term full-assurance Digital ID's.
Finally, NS-API supports reading certificate content, so we expect web sites
to use this information when users access a secure page. Certificates would
be mapped against an existing ACL to provide a more secure access than
passwords due today.
Paul Meijer
Product Marketing Manager
VeriSign, Inc.
>>
>>Hi,
>>
>>I just got a free certificate from Verisign for Netscape and now
>>wonder if anyone can use a method to query my certificate in
>>similar fashion to previous bugs where a user could query the
>>email address? The Verisign certificate contains your name,
>>address, and level 2 even contains your SOCIAL SECURITY NUMBER
>>and BIRTHDATE among other sensitive info.
>>
>>Let's say the latter info is not in the certificate, just the
>>name and address to keep this discussion from getting
>>sidetracked. Is there a way for a web page to run a Java
>>script or query on the certificate, let's say, for the NAME of
>>certificate holder and maybe other info, similarly to how there
>>was a way to get the email address before they closed that
>>hole)? I'm concerned as I don't want to give snoopy marketers
>>more info about me than I already have by just surfing the web!
>>
>>Also it really kills me how for a free ONE MONTH certificate
>>I must give out my social security number and driver's license
>>(and birthdate) among other things, THEN when I am done I am
>>asked for a credit card number and assured this is for
>>verification purposes only (not to be charged)! At this point
>>I stopped and closed the browser, deciding against a free
>>certificate that expires at the end of August 1996.
>>
>>Gene
>>
>>--
>>___
>> | ._ _ ._ _.._ _ ``I do not fear computers
>>_|_| |(_|| (_|| | | I fear lack of them.'' -Isaac Asimov
>>_____ _| _______________________________________________________
>>Key fingerprint: 93 E1 15 E6 35 BC B2 84 B2 7B 39 76 29 72 32 72
>> [Signature lettering created by ``Figlet Ascii Font Converter''
>> http://mediacube.datacom.de/cgi-bin/moniteurs/figlet]
>>
Follow-Ups: