[741] in WWW Security List Archive
RE: Using Netsite Commerce Server with non-RSA certificate?
daemon@ATHENA.MIT.EDU (Jamey Maze)
Tue Jun 6 20:32:59 1995
Date: Tue, 6 Jun 1995 15:48:59 -0400
To: www-security@ns2.rutgers.edu
From: Jamey Maze <jnm@ornl.gov>
Errors-To: owner-www-security@ns2.rutgers.edu
As a follow up to my original posting, the following is the response I got
from Netscape:
>Currently, RSA is the only certificate authority who can provide Netscape
>server certificates. It is not possible at this time to set up a private
>certificate authority for your own use, or to use a different certificate
>authority to obtain your certificate from.
If I'd of read Netscape's documentation
(http://home.mcom.com/info/netscape-security.html) I would have known that:
>The Netscape Navigator includes embedded Certificate Authority (CA) keys for
>certain CAs, including our test CAs. As new CAs come online, we will embed
>their keys as well. These embedded keys allow the Netscape Navigator to
>verify the legitimacy of arbitrary servers. See the Document Information
>dialog to inspect both the identity of a given server as well as the
>identity of the CA that issued the server its certificate. SSL requires
>servers to have certificates issued by a Certificate Authority; the
>Netscape Commerce Server includes a mechanism to easily acquire such a
>certificate.
Responding to a few comments...
At 9:10 AM 6/5/95, Bob Denny wrote:
>Netscape's browser accepts only "real" Netscape certificates. Imagine
>what would happen if "anyone" could run a server that successfully
>communicated with Netscape Navigator? The average person won't check
>the "Document info" and examine the certification of the server, so
>if I ran a bandit server, hijaacked B of A's IP address, then put up
>a bogus credit card application, I'd have a field day.
>
>Netscape and RSA carefully control the issuance of certificates that
>are acceptable to the Navigator.
You have a point about the average user not knowing what's going on and
possibly being dupped. But if I were a bad guy and wanted to dupe local
users, since they get their copies of Netscape Navigator from my
organization, I probably could do it with or without an RSA certificate (if
I were able to embed my CA's certificate in the Navigator). It seems that
until users begin to understand a little about the certification process,
the potential for such abuse is there. (Similar potentials exist in the
current environment.)
At 5:45 PM 6/5/95, isaac j g wrote:
>I'd be real suprised if you could do this with the commerce server since it
>would require modification to the SSL protocol code and the notion of
>doing this defeats the purpose of a central CA which SSL is based upon.
The notion of a central CA isn't sacred to me. In my situation, the RSA CA
wouldn't be any more trusted than a locally administered CA.
At 7:59 AM 6/6/95, J. David Stanton, Jr. wrote:
>If you haven't already acquired the "Commerce" server,
>why not just get the "Communications" server, which is
>both cheaper and doesn't have the authentication stuff
>that it seems you're trying to avoid.
No, I'm not trying to avoid the "authentication stuff", but was hoping I
could have used it without having to go through the process of getting an
RSA certificate. (I would have setup my own CA and certified my own
certificate.) The RSA process requires that some legal documents be
provided. In my company, when you get lawyers involved, it'll certainly
take a long time and chances are high it'll get caught on some legal snag
and never happen.
Appreciate the discussion. It was helpful to me.
Thanks!
--
Jamey Maze TEL: (615)574-6355 FAX: (615)574-8922
Lockheed Martin Energy Systems / Oak Ridge National Laboratory
P.O. Box 2008, MS-6394 / White Oak Road / Oak Ridge, TN 37831
