cryptoanarchy.wiki

Arise, you have nothing to lose but your barbed wire fences!

1996-05-11 - [Fwd: Re: PGP, Inc.]

Header Data

From: Jeff Weinstein <jsw@netscape.com>
To: cypherpunks@toad.com
Message Hash: 63a975bbc7fa45b0bab6899a9c16ae8fc7eedc2b45b9e844066833430863b216
Message ID: <3194593C.E86@netscape.com>
Reply To: N/A
UTC Datetime: 1996-05-11 14:05:40 UTC
Raw Date: Sat, 11 May 1996 22:05:40 +0800

Raw message

From: Jeff Weinstein <jsw@netscape.com>
Date: Sat, 11 May 1996 22:05:40 +0800
To: cypherpunks@toad.com
Subject: [Fwd: Re: PGP, Inc.]
Message-ID: <3194593C.E86@netscape.com>
MIME-Version: 1.0
Content-Type: text/plain

I meant to send this along to the list as well as Raph.

	--Jeff

-- 
Jeff Weinstein - Electronic Munitions Specialist
Netscape Communication Corporation
jsw@netscape.com - http://home.netscape.com/people/jsw
Any opinions expressed above are mine.


To: Raph Levien <raph@cs.berkeley.edu>
Subject: Re: PGP, Inc.
From: Jeff Weinstein <jsw@netscape.com>
Date: Sat, 11 May 1996 02:07:40 -0700
Organization: Netscape Communications Corp.
References: <v02140b03adb92b2dbc65@[205.149.165.24]> <3193E226.575E651C@cs.berkeley.edu>
Reply-To: jsw@netscape.com

Raph Levien wrote:
> 
> Tim Dierks wrote:
> >
> > The only effort they make is that when using the email-based CA, it mails
> > the certificate to the address within, so it's not trivial to get a cert
> > for an address that you don't have access to. (I'm not saying it's
> > impossible, or even hard, just that it requires some skill and effort).
> 
> For example, see http://www.digicrime.com/id.html . I believe they got
> these certificates using the Web, rather than e-mail.
> 
> I think with e-mail, you'd actually have to be running a packet sniffer
> or doing an active attack such as DNS spoofing. However, the Web is
> much, much more convenient.
> 
> In any case, the page I referenced above is worthwhile reading.

  It is certainly possible to put e-mail 'into the loop' when
issuing certs via the web.  With Netscape Navigator 3.0 there is
no requirement that the cert be issued immediately when requested.
I expect that some cert vendors who are issuing low assurance
certs will e-mail the requestor a password that they can use to
retrieve their cert.  This at least provides some(not total) assurance
that the requestor can receive e-mail at the address in the cert.

	--Jeff

-- 
Jeff Weinstein - Electronic Munitions Specialist
Netscape Communication Corporation
jsw@netscape.com - http://home.netscape.com/people/jsw
Any opinions expressed above are mine.

Thread