From: kipp@warp.mcom.com (Kipp E.B. Hickman)
Date: Tue, 13 Dec 94 10:02:38 PST
To: hfinney@shell.portal.com
Subject: Re: Clarification of my remarks about Netscape
Message-ID: <9412131800.AA18475@warp.mcom.com>
MIME-Version: 1.0
Content-Type: text/plain



In article <199412130729.XAA01473@jobe.shell.portal.com>, you write:
> -----BEGIN PGP SIGNED MESSAGE-----
> 
> It is nice to have a lot of people on the list from Netscape.
> Here is a question about SSL relating to the use of certificates:
> 
>           + The issuer name must resolve to a name that is deemed
>             acceptable by the application using SSL. How the application
>             using SSL does this is outside the scope of this memo.
> 
> What does Netscape actually do about this?  If I want to make a server
> which will interoperate with existing Netscape clients what kind of
> certificate do I need, and what kind of name should be in there?
> Thanks -
> 
> Hal Finney
> hfinney@shell.portal.com
> 
> -----BEGIN PGP SIGNATURE-----
> Version: 2.6
> 
> iQBVAwUBLu1NOxnMLJtOy9MBAQGItwIAr4eerI+FSmPpOIcwITepnXzcUUFkPwsK
> +Rz2FC4Y6hV0HoDEt1JnpvCPVV5N74Jtc9xMmF8CcRlBybk25PkxVQ==
> =LOql
> -----END PGP SIGNATURE-----

Because online directory services are not one of the extant solved
problems on the Internet, Netscape uses a simple approach - a small
set of "important issuer" certificates are compiled into the
browser. A future release will support "key rings" ala PGP. This is
all we had time for in this release...

All you need to do is get your server certificate from one of several
places, including:

	RSA (commercial CA or server CA)
	Netscape (not likely; we can't afford the liability)
	MCI (I don't know if they are selling this).

So the short answer is: it's hard to do right now. In six months it
should be a very different scenario.

---------------------------------------------------------------------
Kipp E.B. Hickman          Netscape Communications Corp.
kipp@mcom.com              http://www.mcom.com/people/kipp/index.html