Re: Announcing Droplets Ben Laurie (ben@algroup.co.uk)
Thu, 30 Sep 1999 20:00:48 +0100

"Mark S. Miller" wrote:
>
> At 05:07 AM 9/30/99 , Ben Laurie wrote:
> >I know that it I then click on the
> > > key-or-lock-or-whatever icon (or otherwise request security info for the
> > > current page) .... However, ignoring the requestable
> > > security info, what authentication does the browser do of the URL
> > > itself?
> >
> >What do you mean "ignoring the requestable security info"? If you ignore
> >that, you aren't doing SSL. You know you are getting data from fudco.com
> >because they have a certificate that says so.
>
> I meant, the human not interactively requesting security info about the page, or ignoring what he reads if he does. I wanted to separate the authentication offered through this info-about-the-page interface from that required (by a conforming implementation) to dereference the URL itself. From your response, it sounds like the browser is obligated to do the right thing. Now we need to ask what CAs claim to certify.
>
> The reason I asked is that my model of what CA's (like Verisign) do is mostly authenticate (weakly) the correspondence between a key and an email address and/or a real world name. Do they also claim to authenticate the correspondence between a key and domain name ownership? If the answer to this is adequate, I'd say the Droplets capability/URL idea is home free!
>
> It case it isn't clear to anyone, I am asking these questions from a vast pool of ignorance. Thanks for your indulgence.

:-) In order to qualify for a server certificate from either VeriSign or Thawte (the two most likely CAs) you must produce proof that you (your company) own the domain and that you are the company you claim to be.

How carefully they check this proof I am not prepared to speculate on.

Certificates that validate key/email address correspondence are _not_ accepted (by default) for URL verification.

Cheers,

Ben.

--
http://www.apache-ssl.org/ben.html

"My grandfather once told me that there are two kinds of people: those
who work and those who take the credit. He told me to try to be in the
first group; there was less competition there."
     - Indira Gandhi