From: Hal <hfinney@shell.portal.com>
Date: Wed, 14 Dec 94 23:38:27 PST
To: cypherpunks@toad.com
Subject: Re: Clarification of my remarks about Netscape
In-Reply-To: <199412142236.OAA21214@jobe.shell.portal.com>
Message-ID: <199412150738.XAA06251@jobe.shell.portal.com>
MIME-Version: 1.0
Content-Type: text/plain


Hal <hfinney@shell.portal.com> writes:
>It appears from your docs that the Netscape client has a File menu item
>that brings up a Document Information dialog box which displays the
>distinguished names of the certificate issuer and of the subject (the
>owner of the key).  This does provide a way of checking that you are
>securely connected to the server that you expect (assuming that the
>name is recognizable to the user).  But it sounds like this is not
>something which the customer sees automatically.  Again, this seems
>like an important security aspect which should be displayed more
>prominently.

>BTW, what do you see in the dialog when you connect securely to
>mcom.com?  What is the subject name in your certificate?

I downloaded the latest Netscape client and tried the https: links at
the mcom server.  When you switch to secure mode, a large dialog box
appears reminding you to check the Document Information.  But it has a
"don't show again" button and I would imagine that most people would
soon use that.

The Document Information box shows this information:

Encryption Key:  Export [40]
Name of Server:	C=US, ST=California, O=Netscape Communications Corp.,
		CN=mosaic@mcom.com
Name of Certifier: C=US, OU=Test CA, O=Netscape Communications Corp.

It would be nice if the CN field were the same as the server address.
Then the client could check it.

Hal