From: "Michael A. Atzet" <atzet@vnet.ibm.com>
Date: Sat, 2 Mar 1996 15:34:58 +0800
To: jsw@netscape.com
Subject: Re: X.509 certs that don't guarantee identity
In-Reply-To: <199602260448.WAA01201@proust.suba.com>
Message-ID: <3135CC13.41C6@vnet.ibm.com>
MIME-Version: 1.0
Content-Type: text/plain


Jeff Weinstein wrote:
> 
> Alex Strasheim wrote:
> >
> > On the 23rd, Jeff Weinstein said this concerning the natural
> > semi-anonymity of the net:
> >
> > > Given that verisign and others will soon begin issuing large numbers of
> > > certificates that do not guarantee the identity of the key holder, it seems
> > > that this tradition will continue even with the wide deployment of X509
> > > certs.
> >
> > This has been bugging me since I read it.  I'm not sure I understand the
> > plan;  it only makes sense to me if "anonymous" X.509 certs are issued
> > for user authentication only, not for server authentication.  Is that
> > what this is about?
> >
> > (If anonymous certs are issued for servers, why should such a cert be
> > treated any differently than one I generate on my own, which causes
> > warning screens about an unknown CA to pop up?)
> 
>   The navigator will not be configured to automatically trust the verisign
> level 1 and 2 certificates for SSL servers.  You will get the same warning
> dialog with these certs as you do with one you generate on your own.
> 
>         --Jeff
> 
> --
> Jeff Weinstein - Electronic Munitions Specialist
> Netscape Communication Corporation
> jsw@netscape.com - http://home.netscape.com/people/jsw
> Any opinions expressed above are mine.

How will Navigator differentiate between the different level certs? I am not
aware of any fields in the cert itself that designate what level it is.
I know that the subject info would "look" different for a persons name vs.
email address vs commom name.

--
Michael A. Atzet         IBM AIX Systems Center         Roanoke, Texas
***  All opinions above are mine and not necessarily that of IBM.  ***
                           atzet@vnet.ibm.com