[1945] in WWW Security List Archive
Summary of certifying Apache-SSL problems
daemon@ATHENA.MIT.EDU (Mike Bremford)
Wed May 1 08:46:10 1996
Date: Wed, 1 May 1996 10:58:45 +0100
From: Mike.Bremford@mail.bl.uk (Mike Bremford)
To: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
Well, its an easy enough summary to write.
The answer is "No, it can't be done" ;-)
This is because Verisign apparently won't certify anything thats not on its
"tried and tested" list - they have to ensure that the code meets certain
quality standards. Actually, thinking about this now, it would be very
difficult for them to test the Apache-SSL using non-RSA libraries, as they're
based in the US and therefore can't run the program without being in breach of
RSAs patent... Christ, the legal profession has a lot to answer for...
Anyway, there are rumours of the guy who wrote the SSLeay library trying to
negotiate with Verisign to get the library, and therefore the server, certified.
However, don't hold your breath.
Thanks to everyone that replied.
Cheers... Mike
