I meant to send this along to the list as well as Raph. --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw@netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine. To: Raph Levien <raph@cs.berkeley.edu> Subject: Re: PGP, Inc. From: Jeff Weinstein <jsw@netscape.com> Date: Sat, 11 May 1996 02:07:40 -0700 Organization: Netscape Communications Corp. References: <v02140b03adb92b2dbc65@[205.149.165.24]> <3193E226.575E651C@cs.berkeley.edu> Reply-To: jsw@netscape.com Raph Levien wrote:

Tim Dierks wrote:

...

The only effort they make is that when using the email-based CA, it mails the certificate to the address within, so it's not trivial to get a cert for an address that you don't have access to. (I'm not saying it's impossible, or even hard, just that it requires some skill and effort).

For example, see http://www.digicrime.com/id.html . I believe they got these certificates using the Web, rather than e-mail.

I think with e-mail, you'd actually have to be running a packet sniffer or doing an active attack such as DNS spoofing. However, the Web is much, much more convenient.

In any case, the page I referenced above is worthwhile reading.

It is certainly possible to put e-mail 'into the loop' when issuing certs via the web. With Netscape Navigator 3.0 there is no requirement that the cert be issued immediately when requested. I expect that some cert vendors who are issuing low assurance certs will e-mail the requestor a password that they can use to retrieve their cert. This at least provides some(not total) assurance that the requestor can receive e-mail at the address in the cert. --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw@netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine.