1997-07-18 - Re: Verisign gets export approval

Header Data

From: Tom Weinstein <tomw@netscape.com>
To: Lucky Green <shamrock@netcom.com>
Message Hash: d1824f0191d88322c1af578178c65bf111aa2c8130ae95ba6c2e9f8c459dfb4a
Message ID: <33CEDD64.292388D@netscape.com>
Reply To: <Pine.3.89.9707171711.A10551-0100000@netcom2>
UTC Datetime: 1997-07-18 03:21:38 UTC
Raw Date: Fri, 18 Jul 1997 11:21:38 +0800

Raw message

From: Tom Weinstein <tomw@netscape.com>
Date: Fri, 18 Jul 1997 11:21:38 +0800
To: Lucky Green <shamrock@netcom.com>
Subject: Re: Verisign gets export approval
In-Reply-To: <Pine.3.89.9707171711.A10551-0100000@netcom2>
Message-ID: <33CEDD64.292388D@netscape.com>
MIME-Version: 1.0
Content-Type: text/plain

Lucky Green wrote:
> On Thu, 17 Jul 1997, Tom Weinstein wrote:
>> I don't know the details of the agreement between VeriSign and the
>> USG.  I'm curious: how will the CRL for this revocation get
>> distributed?  Since Communicator doesn't automatically pull CRLs, how
>> can any action on VeriSign's part disable crypto for that server?  Or
>> are you suggesting that as part of the revocation process, the USG
>> will bust down their doors and grab all copies of their private keys?
> [Tom, I am glad that your are adding your voice to this tread].
> It is true that Communicator does not presently pull CRL's. However,
> an X.509 based application probably should pull the CRL, or at least
> verify that a cert about to be relied upon has not in fact been
> revoked by looking for a match in the CRL. It stands to reason that
> Communicator will at one point add this, IMHO proper, feature.
> I also would like to mention the reader that yesterday's release of
> MSIE 4.0b2 *does* have the ability to check CRL's.

Yes, we will add this feature in some future release.  It will be
configurable, so if the user doesn't want to check CRLs he doesn't
have to.

> Even if Communicator would never check CRL's, not even in the future,
> the mere fact that the Global ID cert have only a one year lifetime
> means anyone relying on Global ID can be held hostage by threatening
> to refuse to renew their cert. The reader may not be aware that unlike
> other certs, the Global ID certs are *only* issued by VeriSign. You
> can not go to a non-US CA and obtain such a cert. [Which of course
> would defy the whole purpose of this rather slick deal :-]

Aren't all certs VeriSign issues only valid for one year?  This isn't
any different.

There's nothing preventing another CA from getting permission from the
USG to issue these magic certs.  We would have to distribute a patch,
but I don't see any problem with that.

> Unless VeriSign includes in the price of the Global ID cert a bond
> that will compensate the buyer of a Global ID based commerce system
> for any and all future losses caused by VeriSign either revoking or
> refusing to renew a cert (fat chance), anyone basing their strategy on
> having such a cert is at risk of losing their business.

I fail to see the problem.  Right now, if you want to communicate
securely with exportable web browsers, this is the only way to do it. 
Either you do it, or you don't.  If VeriSign doesn't renew your cert,
then you're right back where you were the previous year.

What is appropriate for the master is not appropriate| Tom Weinstein
for the novice.  You must understand Tao before      | tomw@netscape.com
transcending structure.  -- The Tao of Programming   |