[6837] in cryptography@c2.net mail archive
Re: CA cert chaining + 128 bit
daemon@ATHENA.MIT.EDU (ericm)
Thu Mar 23 11:59:56 2000
Date: Thu, 23 Mar 2000 08:32:11 -0800
From: ericm <ericm@lne.com>
To: Kick Willemse <k.willemse@diginotar.nl>
Cc: codepunks <coderpunks@toad.com>, crypto <cryptography@c2.net>
Message-ID: <20000323083211.C6232@slack.lne.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
In-Reply-To: <38D9EE2E.7CA9E4BC@diginotar.nl>
On Thu, Mar 23, 2000 at 11:13:02AM +0100, Kick Willemse wrote:
> Dear all,
>
> I am looking for a method for good root distribution! Offcourse i am not
> willing to pay XXXXX to m$ or N$. Is there anybody who can help me with
> some code examples for a website that automatically checks if the root
> cert is available and if not it imports the root cert? I know you can do
> this with a button pointing to a ca.crt but i am looking for code that
> does this proactive?
Users can import new root CA certs into Netscape and MSIE by
going through a series of dialog boxes. Just send it in the SSL/TLS
negotiation.
Automatically importing a root ca cert into the trusted cert database
would be a massive security hole... an attacker with a bogus web site
could simply make his own equally bogus root cert, send it to
the browser, then authenticate as "Amazon" or whatever.
--
Eric Murray www.lne.com/~ericm ericm at the site lne.com PGP keyid:E03F65E5
