From: jsw@neon.netscape.com (Jeff Weinstein)
Date: Mon, 2 Oct 95 23:13:30 PDT
To: cypherpunks@toad.com
Subject: Re: Spoofing HTTP server certificates
In-Reply-To: <199510020737.AAA27256@ix7.ix.netcom.com>
Message-ID: <44qk8v$igc@tera.mcom.com>
MIME-Version: 1.0
Content-Type: text/plain


In article <199510020737.AAA27256@ix7.ix.netcom.com>, stewarts@ix.netcom.com (Bill Stewart) writes:
> At 12:52 AM 10/2/95 -0400, Greg Miller <gmiller@grendel.ius.indiana.edu> wrote:
> >	Since there has been a lot of talk about the "man in the middle" 
> >attack on the secure web servers, has anyone actually considered the 
> >processing time required to fake a certificate from scratch?
> >	I haven't really familiarized myself with how the certificates 
> >are generated, etc, but it's my understanding that they are signed with RSA.
> 
> While I haven't seen Verisign's various public keys posted to the net,
> and didn't see them anywhere on their web page, I assume they're at least
> 508 bits long, and the ones for better-than-personna certification
> (or at least Class 3) ought to be ~1024 bits long, unless they're limiting
> themselves to 512 bits to support software that's limited by ITAR stupidity
> (which would be a shame, but is certainly possible.)

  You can see the certificate(including public key) for RSA/Verisign's
sercure server authority by looking at:

	http://home.netscape.com/newsref/ref/rsa-server-ca.html

  It is a >1000 bit key.

	--Jeff

-- 
Jeff Weinstein - Electronic Munitions Specialist
Netscape Communication Corporation
jsw@netscape.com - http://home.netscape.com/people/jsw
Any opinions expressed above are mine.