[796] in WWW Security List Archive
SSL, X509 Certificates and EuroSign
daemon@ATHENA.MIT.EDU (John Hemming (Chief Executive Mark)
Mon Jul 31 19:29:19 1995
From: "John Hemming (Chief Executive MarketNet )" <JohnHemming@mkn.co.uk>
Date: Mon, 31 Jul 95 20:50:26 -700
To: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
Well, so there we are. SSL works quite nicely and ensures that
some form of server verification is dependent upon the
existance of an X509 certificate. The server verification does
not really help that much in a commercial environment as it does
not offer any regulatory guarantees, but the process does allow
a secure channel.
All the certs are currently digitally signed by verisign.com.
Netscape kindly provide UUencoded certificates with the public
keys of those CAs recognised by Navigator.
Indeed Netscape state that they will add other public keys as
other CAs come on line.
Meanwhile in the UK we at EuroSign set up our own CA, but not
using any software written by RSA. We generate our own
confidential key pair and contact Netscape requesting that it
be placed into Navigator. Initially Netscape are helpful
(I have generally found Netscape very helpful)
and simply request our cert, however after a point they go
quiet with a mention of legal issues that need to be resolved?
Interesting question?
What do people think has happened?
Should RSA really sit at the top of commercial CAs so that
no-one can become a CA without their permission? Alternatively
should the system operate on a more widespread basis?
Although this is a commercial issue initially affecting ourselves
in little old Europe, I feel that it is pertinent to the
development of worldwide commerce and security and hence have
posted it to this mailing list.
