1997-07-18 - Re: Verisign gets export approval

Header Data

From: Lucky Green <shamrock@netcom.com>
To: Tom Weinstein <tomw@netscape.com>
Message Hash: 380a553832bf5cc60af6cfe4e37ab199ec0f39146cd47c4ab98348e4b710b4da
Message ID: <Pine.3.89.9707171711.A10551-0100000@netcom2>
Reply To: <33CEBACC.31388B70@netscape.com>
UTC Datetime: 1997-07-18 01:37:54 UTC
Raw Date: Fri, 18 Jul 1997 09:37:54 +0800

Raw message

From: Lucky Green <shamrock@netcom.com>
Date: Fri, 18 Jul 1997 09:37:54 +0800
To: Tom Weinstein <tomw@netscape.com>
Subject: Re: Verisign gets export approval
In-Reply-To: <33CEBACC.31388B70@netscape.com>
Message-ID: <Pine.3.89.9707171711.A10551-0100000@netcom2>
MIME-Version: 1.0
Content-Type: text/plain

On Thu, 17 Jul 1997, Tom Weinstein wrote:

> I don't know the details of the agreement between VeriSign and the
> USG.  I'm curious: how will the CRL for this revocation get distributed?
> Since Communicator doesn't automatically pull CRLs, how can any action
> on VeriSign's part disable crypto for that server?  Or are you
> suggesting that as part of the revocation process, the USG will bust
> down their doors and grab all copies of their private keys?

[Tom, I am glad that your are adding your voice to this tread].

It is true that Communicator does not presently pull CRL's. However, an 
X.509 based application probably should pull the CRL, or at least verify 
that a cert about to be relied upon has not in fact been revoked by 
looking for a match in the CRL. It stands to reason that Communicator 
will at one point add this, IMHO proper, feature.

I also would like to mention the reader that yesterday's release of MSIE 
4.0b2 *does* have the ability to check CRL's.

Even if Communicator would never check CRL's, not even in the future, the
mere fact that the Global ID cert have only a one year lifetime means 
anyone relying on Global ID can be held hostage by threatening to 
refuse to renew their cert. The reader may not be aware that unlike other 
certs, the Global ID certs are *only* issued by VeriSign. You can 
not go to a non-US CA and obtain such a cert. [Which of course would defy 
the whole purpose of this rather slick deal :-]

Unless VeriSign includes in the price of the Global ID cert a bond that will 
compensate the buyer of a Global ID based commerce system for any and all 
future losses caused by VeriSign either revoking or refusing to renew a 
cert (fat chance), anyone basing their strategy on having such a cert is 
at risk of losing their business.