> -----Original Message-----
> From: Thomas Reinke [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, June 14, 2000 5:43 PM
> To: [EMAIL PROTECTED]
> Subject: Re: howto get IE & Netscape to accept CA?
>
>
>
> > >
> > > If the Root Cert is not there, or if no root authority is
> > > claimed (as in the case of self-certify), the browser asks
> > > you if you trust this site - three or four dialog boxes allow
> > > you to say 'yes' for now, or 'yes' for any future sessions.
> > > ONLY if you say 'yes' for a future session will you add THAT
> > > cert into the browser's cache.
> >
> > That was more or less my problem: the ONLY safe solution is
> saying NO
> > systematically without even READING the certificate, except
> if you are able
> > to validate by another mean the fact that the one that sends you a
> > certificate for which you do not have a trusted root
> certificate is indeed
> > the one he pretends to be; however that means that you are
> doing yourself
> > what a root CA is doing :-)
> >
> > So browsers should never ask a question if the ONLY safe
> option is saying
> > NO!
>
> Well, not really. It would be, as an example, a pain in the @#% to
> test your own webserver with a "test" certificate (e.g. a self signed
> cert) if the browser categorically refused to accept the cert.
> Now I do NOT see a problem with configuring out the ability
> to do this (e.g. corporate environments). But I'd be royally p.o'ed
> if I couldn't make use of my own internal web servers that have my
> own certificates installed.
I don't see any problem if, for this, instead of just loading an HTTP page
and clicking YES to the dialog that opens I have to open (for example) "View
-> Options -> Certificates -> Install" and install my test certificate,
clicking the "trust" button...
>
> Also, there is value in trusting the certificate, even when it
> is self signed - providing you know WHAT to trust. If you accept
> the cert, you know you are entering into communication with
> SOMEONE (no guarantee who), and that noone else is sniffing
> your communications, because they are encrypted. Again, that
> in itself has value.
>
> Finally, the ability to import a root cert into the browser
> through a controlled dialog can be easily enough done,
> and securely, providing the sending site secures the
> cert itself via an SSL connection that is behind an already
> known certificate such as Thawte or Verisign. That way,
> you know the company is legit, and you just need to decide
> whether or not to trust them as a CA. It's that above step,
> while easy enough to do, that is solved by getting your
> cert into the Netscape and IE distributions, which appear
> for all practical purposes to have been locked down at this point.
>
My main concern in all this is not that this is possible, but that does not
require any voluntary action from the user; there is a lot of difference
between the following two procedures:
1) saying to the user: If you decide to accept my self-signed certificate as
a valid root certificate, download it by right-clicking on this link then do
"View -> Options -> Certificates -> Install" on IE or "..." on Netscape (or
RTFM of your browser) to install it
2) Popping a dialog saying "Do you accept my certificate? YES (default) NO"
Clearly in both cases the user has the ability to do what he needs, but in
the second case it is pushed to do it even if he does not understand what's
happenning.
To be clear, I agree it is NEEDED that someone can add certificates to its
browser (even if it's also needed that the local admin is able to restrict
WHO is able to do so); my only concern is to avoid situations where this
potentially harmful operation may be so simple that users may accept to do
it under pressure from the very person that's trying to break in its ssytem.
Imagine a web server providing a very valuable service, that you use
frequently, that suddenly, to access some new service, displays a message
saying:
"To be able to provide you this new service, I need to configure your
browser to accept some security features I use; if you wish to continue
using this service you must answer YES at the following dialog"
Then downloads a self-signed certificate... :-( I bet a lot of people, even
moderately aware of what security means, will accept this (especially if it
was better worded :-)) and thus allow me to compromise the security of their
system.
That is what I think is kind of a security breach.
Thanks anyway for your answers, and for reading me so far :-)
Regards,
Bernard
--------------------------------------------
Bernard Dautrevaux
Microprocess Ingéniérie
97 bis, rue de Colombes
92400 COURBEVOIE
FRANCE
Tel: +33 (0) 1 47 68 80 80
Fax: +33 (0) 1 47 88 97 85
e-mail: [EMAIL PROTECTED]
[EMAIL PROTECTED]
--------------------------------------------
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
