[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Netscape, CAs, and Verisign

To: [email protected]
Subject: Re: Netscape, CAs, and Verisign
From: Bill Stewart <[email protected]>
Date: Sat, 03 Feb 1996 01:52:26 -0800
Sender: [email protected]

At 06:50 PM 1/30/96 -0500, Phill wrote:
>Question is how can Netscape (or anyone else) _securely_ allow an arbitrary
CA's 
>certificate to be used? Certainly the process cannot be automatic. Binding the 
>Verisign public key into the browser may be an undesirable solution, but the 
>problem is to think of a better one.

It's easy, and I gather Netscape has done it in 2.x - let the _user_ decide
what CAs
to trust.  For convenient verification, you can have the user sign the
keys for each of the CAs, and then the chain-following software only needs
to compare each certificate's signer with the user's own pubkey, rather than
comparing with Verisign's.  If you want to be automatic about it, you _could_
have the user sign Verisign's key when first generating keys, or you could
ask the user the first time.  

You've got to pull the wool over your _own_ eyes, here :-)
#--
#				Thanks;  Bill
# Bill Stewart, [email protected], Pager/Voicemail 1-408-787-1281
# http://www.idiom.com/~wcs

Follow-Ups:
- Re: Netscape, CAs, and Verisign
  - From: Tom Weinstein <[email protected]>

Prev by Date: Re: FV's Borenstein discovers keystroke capture programs! (gifs at 11!)
Next by Date: Crypto suggestion - re: Fatal Flaws in Credit Cards
Prev by thread: Re: FV's Borenstein discovers keystroke capture programs! (gifs at 11!)
Next by thread: Re: Netscape, CAs, and Verisign
Index(es):
- Date
- Thread