North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: slightly OT : versign complaint department

  • From: Mathias Koerber
  • Date: Sun Sep 30 22:37:09 2001

> I can access inww.com site thru my browser, using a supposedly "secure"
> connection. The certificate presented by Melbourne IT is signed by
> Verisign! :-) It takes me 2 minutes to make a change, not two weeks.

However, all the security you have with *their* certificate is some degree
of
confidence that you connected to the correct site. What is not provided for
secure identification of you to them (apart from the password).
PGP authentication (if it works, which with NSI does not seem to be the case
anymore, they rejected perfectly valid PGP-signed templates from me for the
last few days without indication what they think is the problem, sigh) does
provide a mechanism for client-side authentication using strong-encryption
technology. While I believe that such is possible with SSL, this does not
seem
to be used at all, IMHO for the following reasons
	- lack of tools to generate one's own client-certificate for use with
	   webbrowsers, and/or documentation etc for that and
	- lack of support by websites for submitting your cert's public part or
	- lack of certification authorities that accept user-generated certs
	  and are widely accepted by site-operators for this purpose
(most CAs seem to generate certs for their customers, which always leaves
the possibility for some form of escrow, whether by law, by the CA's
policies
or internal procedures [backup etc] or even a single rogue staff).

I know someone is going to chip in with lots of details and info I have
missed/overlooked, and I'd welcome pointers if such services and tools are
actually available [in a relatively user-friendly for accessible form].

Mathias