Re: [ILUG] SSL and a US-based HTTPS server

From: Justin Mason (jm at domain jmason.org)
Date: Thu 02 Dec 1999 - 14:38:40 GMT

• Next message: Noel Carroll: "Re: [[ILUG] Linux training.]"
• Previous message: Barry Redmond: "Re: [ILUG] Face 2 Face on saturday"
• Maybe in reply to: Justin Mason: "[ILUG] SSL and a US-based HTTPS server"
• Next in thread: adam beecher: "RE: [ILUG] SSL and a US-based HTTPS server"
• Reply: adam beecher: "RE: [ILUG] SSL and a US-based HTTPS server"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
• Mail actions: [ respond to this message ] [ mail a new topic ]

Wesley Darlington said:

> As I understand it, the Thawte public root certificates embedded in IE4
> for the mac and Netscape 3.x for everything have expired. This means that
> anybody coming to your site with one of these browsers will get a message
> about a cert expiring. It'll probably be a big security alert and might be
> dissuasive (?) to potential customers - they'll assume your cert has
> expired and that you are either incompetent or not who you say or both. :-)
> They can go to the Thawte web site and upgrade the certs in their browsers
> trivially. We use a Thawte cert and while our server probably tells people
> using such browsers what to expect, I must get an email every other week
> or so telling me our certificate has expired. :-)

Yep,

Same goes for the Verisign root certs in Netscape <= 4.04.

Normally it'd be possible to just upgrade the cert files, but
unfortunately it seems that the only way to fix the bug after 1/1/2000
will be to upgrade Netscape to 4.05 or later, as there was a Y2K issue in
the date-handling part of their X509 certificate support for SSL.

There's a really crap FAQ up on Verisign's site which vaguely says this in
the most round-about, spin-laden way possible. Here it is:
http://www.verisign.com/server/cus/rootcert/faq.html : "technical and
practices (sic) considerations dictated that the expiration date be set at
12/31/99"... hmmm, gotcha ;)

As I understand it, this will mean that *any* SSL sites viewed with
Netscape <= 4.04, on all platforms, after 1/1/2000 will pop up a "this
site could not be authenticated" dialog. Sad but true.

I'd say it'd include Thawte certs as well, can't see why not -- unless
Verisign have been issuing certs using UTCTime (which has a 2-digit year
field) and Thawte were using GeneralizedTime (which has a 4-digit year
field).

BTW my recommendation would be to go with Thawte, they're much more
professional, reliable, and helpful than Verisign.

--j.

• Next message: Noel Carroll: "Re: [[ILUG] Linux training.]"
• Previous message: Barry Redmond: "Re: [ILUG] Face 2 Face on saturday"
• Maybe in reply to: Justin Mason: "[ILUG] SSL and a US-based HTTPS server"
• Next in thread: adam beecher: "RE: [ILUG] SSL and a US-based HTTPS server"
• Reply: adam beecher: "RE: [ILUG] SSL and a US-based HTTPS server"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
• Mail actions: [ respond to this message ] [ mail a new topic ]

This archive was generated by hypermail 2.1.6 : Thu 06 Feb 2003 - 13:05:03 GMT