[601] in WWW Security List Archive
Re: Netscape Changes RSA tree
daemon@ATHENA.MIT.EDU (George Parsons)
Thu Apr 20 19:36:14 1995
Date: Thu, 20 Apr 1995 12:18:59 -0700
To: lkn@llnl.gov
From: george@RSA.COM (George Parsons)
Cc: www-security@ns1.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
Please see my comments to Mr. Neely's email included below. Mr. Neely,
please make sure that you understand the full issues prior to broadcasting
to a world-wide alias. Dissemination of misleading information does not
help anyone within this community.
I apologize for not having more information in our web pages. We are busy
working on content and noticeable improvements will be made over the next
several weeks.
George Parsons
Director of Certificate Services
RSA Data Security, Inc.
>lkn@llnl.gov (Lee Neely) wrote:
>>All--
>>I just learned that Netscape added a new root to the RSA tree
>>when they licensed the Digsig part of the netsite server.
Wrong, Netscape didn't "add" a new root to the RSA tree. RSA has been
operating several Digital Certificate Hierarchies for over 2 years. These
hierarchies are operated in an open fashion. In fact your own organization
has a CA within the Commercial Hierarchy.
Netscape has incorporated RSA root keys into their secure software
offerings. There are many companies that incorporate RSA root keys into
their security-aware applications. For example Apple has been shipping Mac
O/S 7.5/7.1 since Oct 4, 1993 with RSA's Commercial Hierarchy's root key.
In each case the decision was made by the software developer as to what root
key's to incorporate. Netscape, at this time, has plans to support other CAs.
>>
>> You see, if you're a current Certificate Authority
>>(I am) and you wish to assign a Digital Certificate to Netscape, you can't.
>>(Unless you pay RSA *MORE* money and upgrade your software, which isn't
>>really available yet.) The alternative is to pay RSA for your certificate
>>(yes, like everyone else!) and then get one from them.
The Certification Authority that I believe you are referring to is for use
within the Commercial Hierarchy for LLNL's end-users. Secure servers, like
Netscapes Commerce Server, are certified under a different Certificate
Hierarchy. The reasons for this are that the binding process for the
identity of an entity and the public key are MUCH different for a person.
No upgrades are necessary for the CA software. Operation of a CA for
secure servers is very different but can be supported with the same software.
>>
>>While this seems minor, after all, I am only talking about one server;
>>WHEN we get to version 1.5, which is supposed to support Certifiates at
>>the client level, we could be forced to pay for many certificates, outside
>>of our current purchase arrangement with RSA. Further, the potential
>>exists for users to have to have TWO certificates. One for their "regular"
>>digitally signed documents, and one for Netscape. And at $279, plus the
>>browser, this is not a bargan!! *so much for a distinguished name that
>>uniquely identifies you*
Clients will not be "forced" to have Certificates. Many applications
require the security that certificate-based client-side authentication
provides. Examples are form based access to your companies HR database to
change your benefits. I am sure that you would not want a PIN to control
access to changes to your benefits package.
The end-user Certificate's that LLNL have and are issuing are within RSA's
Commercial Hierarchy. Netscape has incorporated this root into their
software. When client side certificates are supported the Certificates LLNL
have issued will technically work. Minor issues on how to extact the user's
private key out of the Apple environment. There is software on the net that
does this already.
>>
>>In case you missed it, the original RSA hierarchy had two levels,
>>and Netscape has pushed the tree down a level, creating a new root.
>>(They applied for a root node license.)
The depth of Certificate hierarchies is a known security issue. RSA's
hierarchies are NOT limited to two levels deep. We recommend only one level
(a CA) between the root and the end-node certificate for security reasons
within the higher trust environments. Lower trust environments do not carry
this recommendation.
In addition there is no such thing as a "root node license".
>>
>>Which also means that existing tree members cannot talk to the new
>>nodes, until they too, have been upgraded to "know" about the new arrangement.
>>
This is not a valid statement.
>>If anyone knows why the heck Netscape couldn't be another leaf node,
>>like everyone else, I would sure like to know.
>>
>>Flame off.
>>Cheers!
>>Lee
>>
>>--
>> _______ ______________
>> | | | | Leland K. Neely | ________ |
>> | | | | U.C.L.L.N.L | |` | |
>> | | | |_____ P.O. Box 808 L-613 | |________| |
>> | | \______/ Livermore CA 94551 |____________|
>> | \_______/ Email: lkn@llnl.gov ___|______|___
>> \________/ Voice: (510) 422-0140 |____________|
>> \
>> /
>> ||
George Parsons RSA Data Security, Inc.
george@rsa.com http://www.rsa.com/
https://www.rsa.com/netscape
TEL: 415.595.8782 100 Marine Parkway, Suite 500
FAX: 415.595.1873 Redwood City, CA 94065
