[Fwd: Re: PGP, Inc.]

[Jeff Weinstein]

I meant to send this along to the list as well as Raph.

	--Jeff

-- 
Jeff Weinstein - Electronic Munitions Specialist
Netscape Communication Corporation
jsw at netscape.com - http://home.netscape.com/people/jsw
Any opinions expressed above are mine.


To: Raph Levien <raph at cs.berkeley.edu>
Subject: Re: PGP, Inc.
From: Jeff Weinstein <jsw at netscape.com>
Date: Sat, 11 May 1996 02:07:40 -0700
Organization: Netscape Communications Corp.
References: <v02140b03adb92b2dbc65@[205.149.165.24]> <3193E226.575E651C at cs.berkeley.edu>
Reply-To: jsw at netscape.com

Raph Levien wrote:
> 
> Tim Dierks wrote:
> >
> > The only effort they make is that when using the email-based CA, it mails
> > the certificate to the address within, so it's not trivial to get a cert
> > for an address that you don't have access to. (I'm not saying it's
> > impossible, or even hard, just that it requires some skill and effort).
> 
> For example, see http://www.digicrime.com/id.html . I believe they got
> these certificates using the Web, rather than e-mail.
> 
> I think with e-mail, you'd actually have to be running a packet sniffer
> or doing an active attack such as DNS spoofing. However, the Web is
> much, much more convenient.
> 
> In any case, the page I referenced above is worthwhile reading.

  It is certainly possible to put e-mail 'into the loop' when
issuing certs via the web.  With Netscape Navigator 3.0 there is
no requirement that the cert be issued immediately when requested.
I expect that some cert vendors who are issuing low assurance
certs will e-mail the requestor a password that they can use to
retrieve their cert.  This at least provides some(not total) assurance
that the requestor can receive e-mail at the address in the cert.

	--Jeff

-- 
Jeff Weinstein - Electronic Munitions Specialist
Netscape Communication Corporation
jsw at netscape.com - http://home.netscape.com/people/jsw
Any opinions expressed above are mine.