From: adam@bwh.harvard.edu (Adam Shostack)
Date: Fri, 18 Aug 95 08:15:02 PDT
To: harveyrj@vt.edu (R. J. Harvey)
Subject: Re: Netscape security
In-Reply-To: <9508181411.AA11657@toad.com>
Message-ID: <9508181509.AA01916@joplin.harvard.edu>
MIME-Version: 1.0
Content-Type: text/plain


	To clear up some apparent confusion: The Commerce server is
not the certificate.  The NSCP Commerce Server is an httpd.
Non-profits and educationals still need to pay Verisign for a
certificate.  They do not need to pay NSCP for a $5,000 web server.

	The certificates must be signed by an approved key signing
agency.  Anyone can produce one; to get it to interact 'securely' with
free netscape browsers you need the certificate to be signed.

	There is no word as to how to become a KSA.  Netscpe has
ignored the question on several occaisons.

Adam

| On the subject of Netscape:
|    Now that Netscape is making the Commerce Server available
| for free to students, faculty, libraries, etc. (i.e., groups
| with limited ability to cough-up $290 to RSA to get the 
| 1-year digitially-signed certificate needed to make it operate 
| in "secure mode"), does anyone know of alternative methods for 
| producing such certificates?  


-- 
"It is seldom that liberty of any kind is lost all at once."
					               -Hume