[2437] in WWW Security List Archive
Re: Security/Privacy of Certificates in Netscape 3.0
daemon@ATHENA.MIT.EDU (David W. Morris)
Wed Jul 17 20:21:29 1996
Date: Wed, 17 Jul 1996 14:40:37 -0700 (PDT)
From: "David W. Morris" <dwm@shell.portal.com>
To: www-security@ns2.rutgers.edu
In-Reply-To: <31EA9761.2722@cup.hp.com>
Errors-To: owner-www-security@ns2.rutgers.edu
On Mon, 15 Jul 1996, Gene Ingram wrote:
> Also it really kills me how for a free ONE MONTH certificate
> I must give out my social security number and driver's license
> (and birthdate) among other things, THEN when I am done I am
> asked for a credit card number and assured this is for
> verification purposes only (not to be charged)! At this point
> I stopped and closed the browser, deciding against a free
> certificate that expires at the end of August 1996.
Gene, the point is that by providing you with a certificate, Verisign
is guaranteeing your identity to each secure connection to your server.
If you set up a ripoff and someone who believed the certificate sues
Verisign they want to be able to find you. If you don't trust them
enough to provide the information, I can't see why they should trust
you enough to provide you with the certificate.
As to what of this information flows in a readible form with a
certificate, I haven't studied the protocol to that depth.
I expect (but haven't verified) that your server configuration can
control who can access it even before the certificate exchange takes
place. If you want to pursue this safely, all you have to do is set
up your test configuration in a dedicated net not connected to the
big I internet. By knowing the built in Versign certificate, your
browser should be able to verify the certificate issued to your server.
Set it up, try is, snoop the wire, etc.
Have fun. We could all benifit from a detailed report.
Dave Morris
