-----BEGIN PGP SIGNED MESSAGE----- In article <33D04A75.31E08282@netscape.com>, Tom Weinstein <tomw@netscape.com> wrote:
amp@pobox.com wrote:
There's nothing preventing another CA from getting permission from the USG to issue these magic certs. We would have to distribute a patch, but I don't see any problem with that.
uh, why does one need permission of the usg to issue "magic certs"?
Because issuing these certs is defined as a "defense service".
It is in no way a defense service for Ian's Certificate Authority to issue a digital certificate to Steve's Offshore Laundry, Inc. that basically says "I think communications to the holder of this cert should use 128-bit encryption.", even if it uses the same V3 extension that Verisign uses. Now, if some company were to sell a browser overseas that enabled 128-bit encryption when it saw _any_ cert with this extension (or even any such cert from a CA in the user's trusted CAs list), I'd say it's the browser company that's supplying the encryption, not the CA; the CA just issued a signed statement of fact/opinion. It would seem to me, though, that the only reason Netscape was able to release a browser with the "128-bit-if-Verisign-magic" mode overseas was that the USG had gotten Verisign to agree that it wouldn't issue Verisign-magic certs to "alledged terrorists", etc. If Verisign renegs on the agreement, and issues the Verisign-magic certs to left-handed albino money-laundering aliens, they'd be in violation of whatever they signed with the USG, but certainly not in violation of the crypto export regs (which, now that they're under Commerce, I'm not sure even have a "defense service" category anymore). So in answer to the original question (IMHO), you don't need the permission of the USG to issue "magic" certs (ones with the V3 extension). It's just that browser companies won't be allowed to make browsers that turn on strong encryption for _your_ "magic" certs unless the USG trusts you not to give such certs to just anybody. Contrasting this situation with Microsoft signing CAPI modules is left as an exercise for the reader. - Ian "I believe that the bearer of this signed message should be entitled to use as strong crypto as he likes." -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBM9FR/kZRiTErSPb1AQG0ogP9HC1bMyak7D1PEgRHVHPYU+a5BzTpyf/W 4aYINON+eKxw0PbDM6Q6FjnP8r1dXSBPH1T8v+2RbTqQ0A4bGVEZWGlcJv5jzuRG pJb/PuZQwNgecp2sx/sniyfHJdhE6H4omiaDa2URO00Mr9s7iotFleC5LdgGg+XV n9EeJJDxLtY= =mp59 -----END PGP SIGNATURE-----