[EMAIL PROTECTED] wrote:
> Yes, I'm finding this out now. I'm contacting Verisign to see
> what they can do for me (short of actually buying a new $400 cert).
> My hopes aren't very high.
Does Thawte still offer its services? Thawte certs used to be cheaper.
Of course, since they are one and the same now..
It'd be nice if Verisign, or whatever CA, would make difference between
in-house development and global commercial software development and
would issue different certs for different prices. Right now, it regards
you and Microsoft to be of the same class.
> ... If any software allows signing with this cert,
> > or trusts objects signed by this, then this is a security-related bug.
> I don't know if I would see what as a security 'bug'.
The bug I meant is a browser trusting an object signed by a cert that
does not have object signing as allowed usage.
> It seems that the cert would be doing it's primary function:
> authenticating the creator of the object whether it be a web page or a
> java applet.
Server cert does not say anything about creator of served pages.
It only says something about the ownership of server itself.
Signing cert certifies content, server cert certifies content source:
that is different.
If you have the case that security rules for both keysets are the same
(which basically means that all signing is done in the same server
by the server admin who uses the environment for signing only, and that
in case of server key compromise or expiration you are ready to re-create
and re-sign all your objects, etc), I agree that having one keypair for
both usages can be considered. But you must know what you are doing,
and be very, very cautious. End-user environment is often much more
open to attacks than server configuration files.
> If I'm understanding things correctly, the
> difference between the certs is actually quite minor: just a flag
> (nsCertType).
Technically, yes. My point was to stress that behind this minor technical
detail lies a fundamental policy issue. Certificate extensions are there
to enfore usage of PKI policies, and must not be taken lightly.
> Somehow I doubt Verisign will take my cert away and give me my
> money back just because I imported it into Netscape
I also doubt that it will give you your money back :) But it may
(rightfully) revoke the cert if it has placed some obligations on
you about your key security, and feels that you have stepped over
the rules. Well, since there is no working global certificate
revocation mechanism, it cannot do much - yet.
Kaur
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
