[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Verisign gets export approval
On Thu, 17 Jul 1997, Tom Weinstein wrote:
> I don't know the details of the agreement between VeriSign and the
> USG. I'm curious: how will the CRL for this revocation get distributed?
> Since Communicator doesn't automatically pull CRLs, how can any action
> on VeriSign's part disable crypto for that server? Or are you
> suggesting that as part of the revocation process, the USG will bust
> down their doors and grab all copies of their private keys?
[Tom, I am glad that your are adding your voice to this tread].
It is true that Communicator does not presently pull CRL's. However, an
X.509 based application probably should pull the CRL, or at least verify
that a cert about to be relied upon has not in fact been revoked by
looking for a match in the CRL. It stands to reason that Communicator
will at one point add this, IMHO proper, feature.
I also would like to mention the reader that yesterday's release of MSIE
4.0b2 *does* have the ability to check CRL's.
Even if Communicator would never check CRL's, not even in the future, the
mere fact that the Global ID cert have only a one year lifetime means
anyone relying on Global ID can be held hostage by threatening to
refuse to renew their cert. The reader may not be aware that unlike other
certs, the Global ID certs are *only* issued by VeriSign. You can
not go to a non-US CA and obtain such a cert. [Which of course would defy
the whole purpose of this rather slick deal :-]
Unless VeriSign includes in the price of the Global ID cert a bond that will
compensate the buyer of a Global ID based commerce system for any and all
future losses caused by VeriSign either revoking or refusing to renew a
cert (fat chance), anyone basing their strategy on having such a cert is
at risk of losing their business.
--Lucky