[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NEW Data type for certificate selection ?

To: Ed Gerck <egerck@xxxxxxxxxxxxxxxxxxx>
Subject: Re: NEW Data type for certificate selection ?
From: Stefan Santesson <stefan@xxxxxxxxxxx>
Date: Thu, 01 Oct 1998 17:40:35 +0200
Cc: "'ietf-pkix@xxxxxxx '" <ietf-pkix@xxxxxxx>, "'list@xxxxxxxxxxxxxxxxx '" <list@xxxxxxxxxxxxxxxxx>
Sender: owner-ietf-pkix@xxxxxxx

Ed,

Now this is getting really exciting. I really want to understand what you
are suggesting.

How would you create a Bank application over https: ?
Here is some simple design requirements:
1) First a secure channel shall be created (using SSL/TLS)
2) Through the secure channel the customer is allowed to view accounts,
exchange rates etc.
3) The customer is allowed to enter payment transactions.
4) Each payment transaction shall be individually signed using the
customers non-repudiation certificate issued for the purpose.
5) Each transaction signature shall require the customers conscious
acceptance.

Now. How can you create this function without a plug-in and without using
Javascript or similar.
I would be vary happy to know this.

/Stefan

At 12:29 PM 10/1/98 -0300, Ed Gerck wrote:
>On Thu, 1 Oct 1998, Stefan Santesson wrote:
>
>>Hi Ed,
>>
>>I'm just trying to understand what you are saying.
>>
>>Are what you are saying, that you would solve the problem generally by, for
>>each issuer, having a different Issuer DN, per certificate type? 
>>Well I have thought of that for the SSL/TLS case but I don't like it.
>
>Stefan:
>
>;-)
>
>May I remind you that you wrote:
> 
> I realize that today there is no way to do this without distributing
> customized plug-in components to end-users
>
>However, there are actually TWO ways, as I mentioned in my previous
>postings, that do not involve plug-ins and do not need Javascript
>either (btw, a security risk right there).
>
>
>>Simply because many planned CA-services does not work that way and I'm not
>>convinced that they should either.
>
>;-) Simply because you perhaps want to make commercial CA-services
>mandatory to Banks. However, that is neither needed to Banks nor
>desirable security wise.
>
>Further, if you want to name an objection, please do so. Generic
>"does not work that way", without qualifying the "that" or why -- is
>not useful in a discussion. SMTP carries only written words yet, not
>thoughts ;-)
>
>Can you be specific?
>
>>
>>The next question is, how do I use the SSL/TLS negotiation to pick the
>>right certificate for creating a signed object in a Java script?
>
>As I explained before, there are TWO ways to pick the intended
>certificate and no other cert. However, pls consider abandoning
>Javascripts to provide *functionality* -- even though JS may add
>embellishments. Several major companies and security concerned
>individuals do not use JS at all.
>
>Cheers,
>
>Ed Gerck
>______________________________________________________________________
>Dr.rer.nat. E. Gerck                     egerck@novaware.cps.softex.br
>http://novaware.cps.softex.br
> -- Member of the Meta-Certificate Group -- http://www.mcg.org.br  
>
>
>
>
>
-------------------------------------------------------------------
Stefan Santesson                <stefan@accurata.se>
Accurata Systemsäkerhet AB     
Lotsgatan 27 D                  Tel. +46-40 152211              
216 42  Malmö                   Fax. +46-40 150790              
Sweden                        Mobile +46-70 5247799

PGP fingerprint: 89BC 6C79 5B3D 591B 8547  1512 7D11 DBF4 528F 29A0
-------------------------------------------------------------------

Follow-Ups:
- Re: NEW Data type for certificate selection ?
  - From: Marc Branchaud
- Re: NEW Data type for certificate selection ?
  - From: Ed Gerck

Prev by Date: Re: NEW Data type for certificate selection ?
Next by Date: RE: NEW Data type for certificate selection ?
Previous by thread: RE: NEW Data type for certificate selection ?
Next by thread: Re: NEW Data type for certificate selection ?
Index(es):
- Date
- Thread