Raph Levien wrote:
>
> Tim Dierks wrote:
> >
> > The only effort they make is that when using the email-based CA, it mails
> > the certificate to the address within, so it's not trivial to get a cert
> > for an address that you don't have access to. (I'm not saying it's
> > impossible, or even hard, just that it requires some skill and effort).
>
> For example, see http://www.digicrime.com/id.html . I believe they got
> these certificates using the Web, rather than e-mail.
>
> I think with e-mail, you'd actually have to be running a packet sniffer
> or doing an active attack such as DNS spoofing. However, the Web is
> much, much more convenient.
>
> In any case, the page I referenced above is worthwhile reading.
It is certainly possible to put e-mail 'into the loop' when
issuing certs via the web. With Netscape Navigator 3.0 there is
no requirement that the cert be issued immediately when requested.
I expect that some cert vendors who are issuing low assurance
certs will e-mail the requestor a password that they can use to
retrieve their cert. This at least provides some(not total) assurance
that the requestor can receive e-mail at the address in the cert.
--Jeff
--
Jeff Weinstein - Electronic Munitions Specialist
Netscape Communication Corporation
[email protected] - http://home.netscape.com/people/jsw
Any opinions expressed above are mine.