[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Verisign gets export approval




At 09:57 PM 7/16/97 -0700, Bill Stewart wrote:
>Forwarded from PGP-USERS list:
>> First PGPInc and now VeriSign? Hmmm. Is this telling us something?
>
>     "VeriSign on Monday said it received permission from 
>       the U.S. Department of Commerce to export 128-bit 
>       strong encryption software and issue digital 
>       identifications to approved organizations based on 
>       that software. "

It tells us that the US government has found yet another sucker to support
their failed policy of bait and switch. VeriSign, just as AT&T and National
Semiconductor have discovered in the past, will discover soon that the
revenue generated by "playing ball" isn't nearly as large as promised. [How
many Clipper phones and Fortezza iPower cards were sold? Total?] In fact,
it the revenue may well prove to be in the negative digits.

Here is the straight dope on the VeriSign/MSFT/NSCP/USG deal:

If you are

1. A non US-bank (the feds decide what constitutes a bank) and promise to
be nice or
2. A US corporation with a server inside the US and thereby subject to
subpoena of all records

then VeriSign will issue you a special cert, subject to veto by the feds,
that will enable exportable Netscape and Microsoft browsers to connect to
your site with 128 bit SSL.

The cert is typically valid for a year, but is subject to revocation at any
time by VeriSign upon the USG's request. Such revocation or refusal to
issue a new cert after the first year of operation will leave the webserver
operator with a server that is no longer able to encrypt communications to
their customers in any meaningful way, thereby effectively shutting down
Internet based operations of the company unfortunate enough to invest in
such a flawed solution.

In other words, the USG now permits you to use strong crypto in web based
communications with your international customers if you agree to play by
the USG's rules and allow the feds to install a MASTER-OFF switch in the
heart of your business. What is most amusing from the government's
perspective is that once the USG flips the switch, it will be VeriSign,
Microsoft, and Netscape that take the heat for selling their customers such
a flawed solution.




--Lucky Green <[email protected]>
  PGP encrypted mail preferred.
  DES is dead! Please join in breaking RC5-56.
  http://rc5.distributed.net/