[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: User-Specified Trusted CAs in Netscape (Was: Re: NetScape's dependence upon RSA down for the count!)
In article <[email protected]>, [email protected] (Futplex) writes:
> Bill Soley writes:
> > (3) Netscape is making the problem worse (yes, worse) in the next release
> > by allowing the user to specify their own list of trusted CAs. (I will
> > elaborate on this unpopular view below.)
> > Re: problem 3, about how allowing the user to specify their own list of
> > trusted CAs is bad.
> > it. Even Mary Moderately-Savy might be tricked in to doing it on the
> > false assumption that it would only affect security for the naughty
> > pictures site (that she may not care about), and not affect security for
> > her stock-broker. This false assumption might be based on the fact
> > that the (legitimate) stock-broker uses a different CA.
> You seem to be overstating your point a bit. The real problem here, AFAICS,
> is that the proposed protocol in the software wouldn't allow sufficiently
> fine-grained control over the certification authority approval. The user
> should be able to specify the conditions under which a CA is to be trusted,
> not simply give a blanket approval or rejection.
> It looks as though a set of trusted (CA, site) pairs would suffice.
> How about it, Netscape ? Give the user the opportunity to say "I trust
> certificates from Alfie's World of Key Certification regarding keys for
> interactions with Elvira's Copier Shack."
We've already thought of a lot of the stuff you guys have brought up,
and tried to address them in our design. I'm also taking note on things
we didn't think of.
There will be various "domains" that you can trust a CA for, including
SSL, e-mail, and payment. You will be able to enable and disable trust
for specific server certs as well. You could say, "I don't trust
verisign, but I will trust Joe's Internet Coffee Shop(which happens
to be signed by verisign)".
Jeff Weinstein - Electronic Munitions Specialist
Netscape Communication Corporation
[email protected] - http://home.netscape.com/people/jsw
Any opinions expressed above are mine.