Re: Importing Signing Certs into Netscape 4.7

Mon, 10 Jan 2000 16:09:06 -0800 

On Mon, Jan 10, 2000 at 12:24:21PM +0200, Kaur Virunurm wrote:
> [...]
> That's all. Verisign does not know, and has not said, that this key pair 
> has ever been meant to be used for software publishing. (As it is has not 
> been meant to be used for secure mail, user authentication or being a CA).

        Yes, I'm finding this out now.  I'm contacting Verisign to see
what they can do for me (short of actually buying a new $400 cert).
My hopes aren't very high.

> Thus your Verisign certificate does not allow such usage and should not
> be used for object signing. If any software allows signing with this cert,
> or trusts objects signed by this, then this is a security-related bug. 

        I don't know if I would see what as a security 'bug'.  It
seems that the cert would be doing it's primary function: 
authenticating the creator of the object whether it be a web page or a
java applet.  (Yeah, SSL is doing some encrypting of streams, but
that's something else.)  If I'm understanding things correctly, the
difference between the certs is actually quite minor: just a flag
(nsCertType).
        From my readings, I'm seeing that some of the limitations are
policy/profit-related by the CA's.  For example, Verisign used to
offer object-signing certs to developers for $20... not any more! 
They are $400 now. :'p

> Also: I do not know the requirements that Verisign places upon its
> secure server certificate private keys, but it may be against agreements 
> (between Verisign and you) to import the key into a user's storage space 
> (such as user browser). But regardless of Verisign, having your server 
> keys in your _browser_ under is against any rule in data security, 
> and against common sense as well. 

        Somehow I doubt Verisign will take my cert away and give me my
money back just because I imported it into Netscape (hey, at least
it's Unix Netscape w/ better security... ;') I also agree w/ your
point on the security risk of importing it into Netscape, though.  I
felt strange doing so, but Netscape's jar signing tools (all
command-line) require that the certs be imported into Netscape.

        Thanks!


Phil

-- 
Philip Edelbrock -- IS Manager -- Edge Design, Corvallis, OR
   [EMAIL PROTECTED] -- http://www.netroedge.com/~phil
 PGP F16: 01 D2 FD 01 B5 46 F4 F0  3A 8B 9D 7E 14 7F FB 7A
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to