[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Verisign gets export approval




Bill Frantz writes:
> 
> It seems to me that someone who has a one year export approved Verisign
> cert should use it to authenticate a new top-level CA cert which they pass
> to their customers.  Cut Verisign and their nosy/noisy partner out of the
> loop.

My understanding is that Verisign's licensing agreement
explicitly forbids using any certs they issue as CA certificates.
Maybe if the 'someone' paid Verisign an appropriate fee they
might allow it, but I'd bet that fee would be very high.
Verisign's no dummy, they don't want to enable new competition
to ride on their backs.

In the case of this special strong-crypto-allowing cert, Verisign
would probably be encouraged to discourage cert holders from
using the special Verisign certs as CA certs, for the very
reason you suggest. :-)

The format of the X.509 extensions that will enable strong crypto
operation will be known soon.  Even if Netscape et. al. tried to keep
them secret, since they're public certificates they'll be available to
anyone with an ASN.1 parser.


-- 
Eric Murray  [email protected]  Security and cryptography applications consulting.
PGP keyid:E03F65E5 fingerprint:50 B0 A2 4C 7D 86 FC 03  92 E8 AC E6 7E 27 29 AF