1997-07-17 - Re: Verisign gets export approval

Header Data

From: Eric Murray <ericm@lne.com>
To: frantz@netcom.com
Message Hash: 7de5ee12738558d6d8b635be9133b239bd4eea4874f4bd8b1531842353635947
Message ID: <199707171803.LAA25949@slack.lne.com>
Reply To: <v0300781aaff3f52c25a1@[]>
UTC Datetime: 1997-07-17 18:26:19 UTC
Raw Date: Fri, 18 Jul 1997 02:26:19 +0800

Raw message

From: Eric Murray <ericm@lne.com>
Date: Fri, 18 Jul 1997 02:26:19 +0800
To: frantz@netcom.com
Subject: Re: Verisign gets export approval
In-Reply-To: <v0300781aaff3f52c25a1@[]>
Message-ID: <199707171803.LAA25949@slack.lne.com>
MIME-Version: 1.0
Content-Type: text/plain

Bill Frantz writes:
> It seems to me that someone who has a one year export approved Verisign
> cert should use it to authenticate a new top-level CA cert which they pass
> to their customers.  Cut Verisign and their nosy/noisy partner out of the
> loop.

My understanding is that Verisign's licensing agreement
explicitly forbids using any certs they issue as CA certificates.
Maybe if the 'someone' paid Verisign an appropriate fee they
might allow it, but I'd bet that fee would be very high.
Verisign's no dummy, they don't want to enable new competition
to ride on their backs.

In the case of this special strong-crypto-allowing cert, Verisign
would probably be encouraged to discourage cert holders from
using the special Verisign certs as CA certs, for the very
reason you suggest. :-)

The format of the X.509 extensions that will enable strong crypto
operation will be known soon.  Even if Netscape et. al. tried to keep
them secret, since they're public certificates they'll be available to
anyone with an ASN.1 parser.

Eric Murray  ericm@lne.com  Security and cryptography applications consulting.
PGP keyid:E03F65E5 fingerprint:50 B0 A2 4C 7D 86 FC 03  92 E8 AC E6 7E 27 29 AF