Re: Expiring root CA in web browsers --Y2K

[neil lehrer <nlehrer () ibb gov>]

at least for netscape, you can go to
www.netscape.com/security/index.html?cp=hom11cnse which has info on
updating your root CA certificate.  i was able to update a netscape 3.x
browser this way.



don Wang wrote:
> Folks,
>
> I am not sure if this is the right place to post this message. Since you
> guys are security experts in general, maybe you can shed some insight?
> or maybe suggest a better group to post? Thanks and happy holidays!
>
> Don
> -------------------------sorry, load of questions ....
> ----------------------
>
> As many of you are familiar with this, to communicate securely with
> online banking sites (among others), one's browser needs to establish a
> SSL session with the server, certificates are exchanges, and the session
> is secured subsequently.
>
> A lot of companies use VeriSign server certificates, which in turn
> require users' browsers to have valid VeriSign/RSA Secure Server CAs
> (root CA). Given that old browsers, such as Internet Explorer (3.02 or
> older) and Netscape 4.05 or older, all carry VeriSign root CA that
> expires on December 31, 1999, many users will encounter warning messages
> when they try to access secure servers that uses VeriSign server cert on
> January 1, 2000. Yes, this coincide with the Y2K issue, although it has
> nothing to do with the 2-digit year format.
>
> Question:
> 1.  Can secure SSL sessions be established after Y2K, using the older
> browsers, with expired root CA? What are the risks, if any?
>
> 2.  Can one simply upgrade the root CA rather than upgrade the whole
> browser? This may especially make sense if one uses modem dial up and
> already have relatively recent browser, such as netscape 4.05
> communicator? What are the implications and risks?
>
> 3.  Since IE 3.02 does not warn users about the expiring CA issue, can
> there be a secure SSL connection? It appears to be so, even without any
> warning.
>
> 4.  IE 4 and 5 have two VeriSign CAs, one expiring on Dec. 31, 1999, and
> the other in 2010. How does IE decide which root CA to use? does it
> automatically switch to valid CA? One would assume so, but I have yet to
> get clear technical statement from Microsoft that this is the indeed the
> case.
>
> 5.  AOL browser: Since any version of AOL browsers encompasses more than
> more one version of IE, (e.g. AOL 4.0 can have IE version from 3.01 to
> 5.0, all under the umbrella of AOL4), how can a web server differentiate
> different IE versions from AOL?  This is important if the secure web
> server decides to support only certain versions of browsers (such as IE
> 4 or higher).
>
> That's all for now.
>
> Thanks again for any input you have!
>
> Don

-- 


regards

+++++++++++++++++++++++++++++++++++++++++++++++++
+ Neil Lehrer                       
+
+ United States International Broadcasting Bureau
+ System Development Division
+                                   
+ voice    202 619-2524             
+ fax      202 619-3576             
+ nlehrer () ibb gov
+                                   
+ " is this crisis an opportunity or just
+   another grab the fire extinguisher moment?"
+                              
+++++++++++++++++++++++++++++++++++++++++++++++++