1997-07-17 - Re: Verisign gets export approval

Header Data

From: Lucky Green <shamrock@netcom.com>
To: Bill Stewart <cypherpunks@toad.com
Message Hash: 9c6bfd0cf74594256bc3b9083cc86878098307ccc2966587e4277ffe959303a3
Message ID: <>
Reply To: <>
UTC Datetime: 1997-07-17 07:23:29 UTC
Raw Date: Thu, 17 Jul 1997 15:23:29 +0800

Raw message

From: Lucky Green <shamrock@netcom.com>
Date: Thu, 17 Jul 1997 15:23:29 +0800
To: Bill Stewart <cypherpunks@toad.com
Subject: Re: Verisign gets export approval
In-Reply-To: <>
Message-ID: <>
MIME-Version: 1.0
Content-Type: text/plain

At 09:57 PM 7/16/97 -0700, Bill Stewart wrote:
>Forwarded from PGP-USERS list:
>> First PGPInc and now VeriSign? Hmmm. Is this telling us something?
>     "VeriSign on Monday said it received permission from 
>       the U.S. Department of Commerce to export 128-bit 
>       strong encryption software and issue digital 
>       identifications to approved organizations based on 
>       that software. "

It tells us that the US government has found yet another sucker to support
their failed policy of bait and switch. VeriSign, just as AT&T and National
Semiconductor have discovered in the past, will discover soon that the
revenue generated by "playing ball" isn't nearly as large as promised. [How
many Clipper phones and Fortezza iPower cards were sold? Total?] In fact,
it the revenue may well prove to be in the negative digits.

Here is the straight dope on the VeriSign/MSFT/NSCP/USG deal:

If you are

1. A non US-bank (the feds decide what constitutes a bank) and promise to
be nice or
2. A US corporation with a server inside the US and thereby subject to
subpoena of all records

then VeriSign will issue you a special cert, subject to veto by the feds,
that will enable exportable Netscape and Microsoft browsers to connect to
your site with 128 bit SSL.

The cert is typically valid for a year, but is subject to revocation at any
time by VeriSign upon the USG's request. Such revocation or refusal to
issue a new cert after the first year of operation will leave the webserver
operator with a server that is no longer able to encrypt communications to
their customers in any meaningful way, thereby effectively shutting down
Internet based operations of the company unfortunate enough to invest in
such a flawed solution.

In other words, the USG now permits you to use strong crypto in web based
communications with your international customers if you agree to play by
the USG's rules and allow the feds to install a MASTER-OFF switch in the
heart of your business. What is most amusing from the government's
perspective is that once the USG flips the switch, it will be VeriSign,
Microsoft, and Netscape that take the heat for selling their customers such
a flawed solution.

--Lucky Green <shamrock@netcom.com>
  PGP encrypted mail preferred.
  DES is dead! Please join in breaking RC5-56.