mailing list archives
RE: slightly OT : versign complaint department
From: "Mathias Koerber" <mathias () koerber org>
Date: Mon, 1 Oct 2001 02:23:22 -0700
I can access inww.com site thru my browser, using a supposedly "secure"
connection. The certificate presented by Melbourne IT is signed by
Verisign! :-) It takes me 2 minutes to make a change, not two weeks.
However, all the security you have with *their* certificate is some degree
confidence that you connected to the correct site. What is not provided for
secure identification of you to them (apart from the password).
PGP authentication (if it works, which with NSI does not seem to be the case
anymore, they rejected perfectly valid PGP-signed templates from me for the
last few days without indication what they think is the problem, sigh) does
provide a mechanism for client-side authentication using strong-encryption
technology. While I believe that such is possible with SSL, this does not
to be used at all, IMHO for the following reasons
- lack of tools to generate one's own client-certificate for use with
webbrowsers, and/or documentation etc for that and
- lack of support by websites for submitting your cert's public part or
- lack of certification authorities that accept user-generated certs
and are widely accepted by site-operators for this purpose
(most CAs seem to generate certs for their customers, which always leaves
the possibility for some form of escrow, whether by law, by the CA's
or internal procedures [backup etc] or even a single rogue staff).
I know someone is going to chip in with lots of details and info I have
missed/overlooked, and I'd welcome pointers if such services and tools are
actually available [in a relatively user-friendly for accessible form].