[898] in WWW Security List Archive
Re: What's the netscape problem
daemon@ATHENA.MIT.EDU (Osvaldo Ramon Sabina)
Thu Sep 21 22:10:57 1995
To: www-security@ns2.rutgers.edu
In-reply-to: Your message of Wed, 20 Sep 1995 07:51:47 -0700.
<253.811608707@pellet.spry.com>
Date: Thu, 21 Sep 1995 19:07:30 EDT
From: Osvaldo Ramon Sabina <ors@cis.ufl.edu>
Errors-To: owner-www-security@ns2.rutgers.edu
+-- marcvh@spry.com (Marc VanHeyningen) once said:
|
| ...
| This would mean merely getting a fixed server would be insufficient; every
| Netscape server user would need to generate a new keypair, get a new Verisign
| certificate, and revoke the old one.
|
| (Oops, wait, there's no way to revoke the old one. I guess you just have to
| hope nobody does this before all those certificates expire.)
I'm not claiming to be the authoritative on this, but as I understand it:
The server keypair is an RSA keypair which is generated and certified by some key
certification authority (e.g. RSA). This is where the certificate comes into
play. I honestly don't think that Netscape's shoddy random number genrator in the
client and server software has anything to do with the original RSA keypair, so
they should be unaffected.
Oz
Ozzie Sabina
Univ of Fla CISE Department
