Netscape, CAs, and Verisign
Bill Stewart
stewarts at ix.netcom.com
Sat Feb 3 02:19:12 PST 1996
At 06:50 PM 1/30/96 -0500, Phill wrote:
>Question is how can Netscape (or anyone else) _securely_ allow an arbitrary
CA's
>certificate to be used? Certainly the process cannot be automatic. Binding the
>Verisign public key into the browser may be an undesirable solution, but the
>problem is to think of a better one.
It's easy, and I gather Netscape has done it in 2.x - let the _user_ decide
what CAs
to trust. For convenient verification, you can have the user sign the
keys for each of the CAs, and then the chain-following software only needs
to compare each certificate's signer with the user's own pubkey, rather than
comparing with Verisign's. If you want to be automatic about it, you _could_
have the user sign Verisign's key when first generating keys, or you could
ask the user the first time.
You've got to pull the wool over your _own_ eyes, here :-)
#--
# Thanks; Bill
# Bill Stewart, stewarts at ix.netcom.com, Pager/Voicemail 1-408-787-1281
# http://www.idiom.com/~wcs
More information about the cypherpunks-legacy
mailing list