[903] in WWW Security List Archive
Re: What's the netscape problem
daemon@ATHENA.MIT.EDU (Harald.T.Alvestrand@uninett.no)
Fri Sep 22 09:31:13 1995
From: Harald.T.Alvestrand@uninett.no
To: Osvaldo Ramon Sabina <ors@cis.ufl.edu>
cc: www-security@ns2.rutgers.edu
In-reply-to: Your message of "Thu, 21 Sep 1995 19:07:30 EDT." <199509212307.TAA06648@cutter.cis.ufl.edu>
Date: Fri, 22 Sep 1995 12:21:15 +0200
Errors-To: owner-www-security@ns2.rutgers.edu
The standard mode of operation is that each entity generates its own
public/private keypair, signs the public key with the private key, and
makes someone believe it enough to issue a certificate.
Having someone (e.g. RSA) generate the private key needlessly exposes the
key to interception while in transit to the user.
What saves the RSA keypair is probably the fact that it's harder to get
the PID and so on at the time the key generation process was done than it
is to observe the first transaction initiated by a given browser.
Harald A
