1997-07-17 - Re: Verisign gets export approval

Header Data

From: Lucky Green <shamrock@netcom.com>
To: “Michael Froomkin - U.Miami School of Law” <froomkin@law.miami.edu>
Message Hash: cdef18a2c8de8a3a261b51503360e4585ca4b57acf2246b6ff85e0eaa688e5bc
Message ID: <Pine.3.89.9707171435.A21378-0100000@netcom2>
Reply To: <Pine.SOL.3.95.970717141434.17072P-100000@viper.law.miami.edu>
UTC Datetime: 1997-07-17 22:03:40 UTC
Raw Date: Fri, 18 Jul 1997 06:03:40 +0800

Raw message

From: Lucky Green <shamrock@netcom.com>
Date: Fri, 18 Jul 1997 06:03:40 +0800
To: "Michael Froomkin - U.Miami School of Law" <froomkin@law.miami.edu>
Subject: Re: Verisign gets export approval
In-Reply-To: <Pine.SOL.3.95.970717141434.17072P-100000@viper.law.miami.edu>
Message-ID: <Pine.3.89.9707171435.A21378-0100000@netcom2>
MIME-Version: 1.0
Content-Type: text/plain

On Thu, 17 Jul 1997, Michael Froomkin - U.Miami School of Law wrote:

> I think it tells us that Verisign managed to convince the government that
> their product is only used for authentication, not encrypting content. 
> Which appears currently to be true, no?  And since AFIK (Please, someone,
> correct this if I'm wrong!) you can't with netscape anyway download
> another party's key that you verify with a Verisign certificate, it would
> take a fair amount of work for the ordinary user to set up a secure
> channel using the current Verisign infrastructure.   

True, the certs themselves are not covered by the export controls. But we
aren't talking about export law. We are talking about a four way
contract between Netscape, Microsoft, VeriSign, and the US government. 

Under that contract:

o VeriSign will only issue Global ID certs to US
companies with all their servers located in the US and overseas banks with
servers abroad that play by the USG's rules. Once the USG no longer approves
of the participants using strong crypto with their customers, VeriSign
will revoke the cert, disabling secure communications, and thereby severely
damaging, if not destroying, the business of the party unfortunate enough
to have relied on such a cert for their livelyhood. 

o Netscape and Microsoft get a blanket approval to ship their servers to 
non-US banks that meet the USG's criteria.

o Netscape and Microsoft also receive approval to export browsers that can 
use strong crypto *exclusively* with sites the USG and VeriSign approve of.

o The USG no longer has to waste time handling export applications it
doesn't mind approving anyway, such as those for US-friendly foreign banks.
And the USG no longer has to listen to US companies complain because they
are unable to provide their non-US customers with secure access to the 
sever located in the US.

Lastly, and most importantly, every purchaser of a VeriSign Global ID cert
allows the USG and VeriSign to install a MASTER-OFF switch in the heart of
their business. I feel sorry for the poor suckers that will lose home and 
hearth after subscribing to this fatally flawed solution.