[Fwd: Re: PGP, Inc.]
Jeff Weinstein
jsw at netscape.com
Sat May 11 07:05:40 PDT 1996
I meant to send this along to the list as well as Raph.
--Jeff
--
Jeff Weinstein - Electronic Munitions Specialist
Netscape Communication Corporation
jsw at netscape.com - http://home.netscape.com/people/jsw
Any opinions expressed above are mine.
To: Raph Levien <raph at cs.berkeley.edu>
Subject: Re: PGP, Inc.
From: Jeff Weinstein <jsw at netscape.com>
Date: Sat, 11 May 1996 02:07:40 -0700
Organization: Netscape Communications Corp.
References: <v02140b03adb92b2dbc65@[205.149.165.24]> <3193E226.575E651C at cs.berkeley.edu>
Reply-To: jsw at netscape.com
Raph Levien wrote:
>
> Tim Dierks wrote:
> >
> > The only effort they make is that when using the email-based CA, it mails
> > the certificate to the address within, so it's not trivial to get a cert
> > for an address that you don't have access to. (I'm not saying it's
> > impossible, or even hard, just that it requires some skill and effort).
>
> For example, see http://www.digicrime.com/id.html . I believe they got
> these certificates using the Web, rather than e-mail.
>
> I think with e-mail, you'd actually have to be running a packet sniffer
> or doing an active attack such as DNS spoofing. However, the Web is
> much, much more convenient.
>
> In any case, the page I referenced above is worthwhile reading.
It is certainly possible to put e-mail 'into the loop' when
issuing certs via the web. With Netscape Navigator 3.0 there is
no requirement that the cert be issued immediately when requested.
I expect that some cert vendors who are issuing low assurance
certs will e-mail the requestor a password that they can use to
retrieve their cert. This at least provides some(not total) assurance
that the requestor can receive e-mail at the address in the cert.
--Jeff
--
Jeff Weinstein - Electronic Munitions Specialist
Netscape Communication Corporation
jsw at netscape.com - http://home.netscape.com/people/jsw
Any opinions expressed above are mine.
More information about the cypherpunks-legacy
mailing list