From: Bill Stewart <stewarts@ix.netcom.com>
Date: Sat, 3 Feb 1996 18:19:12 +0800
To: cypherpunks@toad.com
Subject: Re: Netscape, CAs, and Verisign
Message-ID: <199602030951.BAA12320@ix2.ix.netcom.com>
MIME-Version: 1.0
Content-Type: text/plain


At 06:50 PM 1/30/96 -0500, Phill wrote:
>Question is how can Netscape (or anyone else) _securely_ allow an arbitrary
CA's 
>certificate to be used? Certainly the process cannot be automatic. Binding the 
>Verisign public key into the browser may be an undesirable solution, but the 
>problem is to think of a better one.

It's easy, and I gather Netscape has done it in 2.x - let the _user_ decide
what CAs
to trust.  For convenient verification, you can have the user sign the
keys for each of the CAs, and then the chain-following software only needs
to compare each certificate's signer with the user's own pubkey, rather than
comparing with Verisign's.  If you want to be automatic about it, you _could_
have the user sign Verisign's key when first generating keys, or you could
ask the user the first time.  

You've got to pull the wool over your _own_ eyes, here :-)
#--
#				Thanks;  Bill
# Bill Stewart, stewarts@ix.netcom.com, Pager/Voicemail 1-408-787-1281
# http://www.idiom.com/~wcs