[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Verisign gets export approval




-----BEGIN PGP SIGNED MESSAGE-----

In article <[email protected]>,
Tom Weinstein <[email protected]> wrote:
>[email protected] wrote:
>> 
>>> There's nothing preventing another CA from getting permission from
>>> the USG to issue these magic certs.  We would have to distribute a
>>> patch, but I don't see any problem with that.
>> 
>> uh, why does one need permission of the usg to issue "magic certs"?
>
>Because issuing these certs is defined as a "defense service".

It is in no way a defense service for Ian's Certificate Authority to issue
a digital certificate to Steve's Offshore Laundry, Inc. that basically
says "I think communications to the holder of this cert should use 128-bit
encryption.", even if it uses the same V3 extension that Verisign uses.

Now, if some company were to sell a browser overseas that enabled 128-bit
encryption when it saw _any_ cert with this extension (or even any such
cert from a CA in the user's trusted CAs list), I'd say it's the browser
company that's supplying the encryption, not the CA; the CA just issued
a signed statement of fact/opinion.

It would seem to me, though, that the only reason Netscape was able to
release a browser with the "128-bit-if-Verisign-magic" mode overseas
was that the USG had gotten Verisign to agree that it wouldn't issue
Verisign-magic certs to "alledged terrorists", etc.  If Verisign renegs
on the agreement, and issues the Verisign-magic certs to left-handed
albino money-laundering aliens, they'd be in violation of whatever
they signed with the USG, but certainly not in violation of the crypto
export regs (which, now that they're under Commerce, I'm not sure even have
a "defense service" category anymore).

So in answer to the original question (IMHO), you don't need the permission
of the USG to issue "magic" certs (ones with the V3 extension).  It's just
that browser companies won't be allowed to make browsers that turn on
strong encryption for _your_ "magic" certs unless the USG trusts you
not to give such certs to just anybody.

Contrasting this situation with Microsoft signing CAPI modules is left
as an exercise for the reader.

   - Ian "I believe that the bearer of this signed message should be entitled
          to use as strong crypto as he likes."

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBM9FR/kZRiTErSPb1AQG0ogP9HC1bMyak7D1PEgRHVHPYU+a5BzTpyf/W
4aYINON+eKxw0PbDM6Q6FjnP8r1dXSBPH1T8v+2RbTqQ0A4bGVEZWGlcJv5jzuRG
pJb/PuZQwNgecp2sx/sniyfHJdhE6H4omiaDa2URO00Mr9s7iotFleC5LdgGg+XV
n9EeJJDxLtY=
=mp59
-----END PGP SIGNATURE-----