Re: apache and ssl/verisign

On Fri, 26 Jan 1996, Gintaras Richard Gircys (GG148) wrote:
> > :>There are also SLL versions of Apache available.
> > 
> > Wouldn't put too much credence in that.  Yes, there is an SSL
> > version, I paid the $495 for it, but those *@#$&*@#$% over at
> > VeriSign will not sign certificates for it.  The sales drone
> > on the phone said they couldn't do anything with Apache until
> > someone in charge of marketing at Apache called so they could
> > work out the marketing details.  The funny thing is that Apacke
> 
> this isn't quite accurate. anyone can work with verisign to have their
> web server certified by verisign - think part of the problem with
> apache is that they use rsaref and not bsafe the commercial product.
> 
> so bottom line is that apache hasn't convinced veisign of their server's
> integrity according to verisign standards.

Sameer (the distributor of Apache-SSL) is working with verisign on this 
issue, I would expect a resolution in a few weeks.  

To which I have to ask - why does Verisign care, particularly?  I can get 
a pair of keys used on Netscape's servers signed and then use them on 
Apache-SSL - go visit https://www.c2.org/ to see it in action.  
If there were some big hole in Apache-SSL which allowed the server's 
private key to get compromised, sure it would be a problem for the 
merchant but not for verisign. 

> yes, another signing auth is needed

Netscape 2.0 mitigates the need for a CA - whereas 1.1 wouldn't 
even talk to you unless you had a verisign signature, 2.0 has a larger 
list of possible CA's, and also allows for arbitrary CA's or even no CA 
at all.  Look in "Security Preferences" under "Site Certificates".  I had 
an example of a site doing this handy but I lost it... arg.

	Brian


--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
brian@organic.com  brian@hyperreal.com  http://www.[hyperreal,organic].com/

Received on Friday, 26 January 1996 20:45:48 UTC