Bill Frantz writes:
It seems to me that someone who has a one year export approved Verisign cert should use it to authenticate a new top-level CA cert which they pass to their customers. Cut Verisign and their nosy/noisy partner out of the loop.
My understanding is that Verisign's licensing agreement explicitly forbids using any certs they issue as CA certificates. Maybe if the 'someone' paid Verisign an appropriate fee they might allow it, but I'd bet that fee would be very high. Verisign's no dummy, they don't want to enable new competition to ride on their backs. In the case of this special strong-crypto-allowing cert, Verisign would probably be encouraged to discourage cert holders from using the special Verisign certs as CA certs, for the very reason you suggest. :-) The format of the X.509 extensions that will enable strong crypto operation will be known soon. Even if Netscape et. al. tried to keep them secret, since they're public certificates they'll be available to anyone with an ASN.1 parser. -- Eric Murray ericm@lne.com Security and cryptography applications consulting. PGP keyid:E03F65E5 fingerprint:50 B0 A2 4C 7D 86 FC 03 92 E8 AC E6 7E 27 29 AF