1997-07-19 - Re: Verisign gets export approval

Header Data

From: iang@cs.berkeley.edu (Ian Goldberg)
To: cypherpunks@cyberpass.net
Message Hash: b49630b4d68245eb870805d8cb9d0d175686f963c029a9564998db6766807de7
Message ID: <5qrjmb$nma@abraham.cs.berkeley.edu>
Reply To: <Pine.3.89.9707171711.A10551-0100000@netcom2>
UTC Datetime: 1997-07-19 23:53:24 UTC
Raw Date: Sun, 20 Jul 1997 07:53:24 +0800

Raw message

From: iang@cs.berkeley.edu (Ian Goldberg)
Date: Sun, 20 Jul 1997 07:53:24 +0800
To: cypherpunks@cyberpass.net
Subject: Re: Verisign gets export approval
In-Reply-To: <Pine.3.89.9707171711.A10551-0100000@netcom2>
Message-ID: <5qrjmb$nma@abraham.cs.berkeley.edu>
MIME-Version: 1.0
Content-Type: text/plain


In article <33D04A75.31E08282@netscape.com>,
Tom Weinstein <tomw@netscape.com> wrote:
>amp@pobox.com wrote:
>>> There's nothing preventing another CA from getting permission from
>>> the USG to issue these magic certs.  We would have to distribute a
>>> patch, but I don't see any problem with that.
>> uh, why does one need permission of the usg to issue "magic certs"?
>Because issuing these certs is defined as a "defense service".

It is in no way a defense service for Ian's Certificate Authority to issue
a digital certificate to Steve's Offshore Laundry, Inc. that basically
says "I think communications to the holder of this cert should use 128-bit
encryption.", even if it uses the same V3 extension that Verisign uses.

Now, if some company were to sell a browser overseas that enabled 128-bit
encryption when it saw _any_ cert with this extension (or even any such
cert from a CA in the user's trusted CAs list), I'd say it's the browser
company that's supplying the encryption, not the CA; the CA just issued
a signed statement of fact/opinion.

It would seem to me, though, that the only reason Netscape was able to
release a browser with the "128-bit-if-Verisign-magic" mode overseas
was that the USG had gotten Verisign to agree that it wouldn't issue
Verisign-magic certs to "alledged terrorists", etc.  If Verisign renegs
on the agreement, and issues the Verisign-magic certs to left-handed
albino money-laundering aliens, they'd be in violation of whatever
they signed with the USG, but certainly not in violation of the crypto
export regs (which, now that they're under Commerce, I'm not sure even have
a "defense service" category anymore).

So in answer to the original question (IMHO), you don't need the permission
of the USG to issue "magic" certs (ones with the V3 extension).  It's just
that browser companies won't be allowed to make browsers that turn on
strong encryption for _your_ "magic" certs unless the USG trusts you
not to give such certs to just anybody.

Contrasting this situation with Microsoft signing CAPI modules is left
as an exercise for the reader.

   - Ian "I believe that the bearer of this signed message should be entitled
          to use as strong crypto as he likes."

Version: 2.6.2