I think it tells us that Verisign managed to convince the government that their product is only used for authentication, not encrypting content. Which appears currently to be true, no? And since AFIK (Please, someone, correct this if I'm wrong!) you can't with netscape anyway download another party's key that you verify with a Verisign certificate, it would take a fair amount of work for the ordinary user to set up a secure channel using the current Verisign infrastructure. The ITAR exception for authentication-only products is of long standing. On Wed, 16 Jul 1997, Bill Stewart wrote:
Forwarded from PGP-USERS list:
First PGPInc and now VeriSign? Hmmm. Is this telling us something?
"VeriSign on Monday said it received permission from the U.S. Department of Commerce to export 128-bit strong encryption software and issue digital identifications to approved organizations based on that software. "
"Under the 128-bit scheme approved by the U.S. government Monday, companies will not need to place their encryption keys in escrow, or submit to U.S. government key-recovery requirements in order to use VeriSign's software, company officials said."
# Thanks; Bill # Bill Stewart, +1-415-442-2215 stewarts@ix.netcom.com # You can get PGP outside the US at ftp.ox.ac.uk/pub/crypto/pgp # (If this is a mailing list or news, please Cc: me on replies. Thanks.)
A. Michael Froomkin | +1 (305) 284-4285; +1 (305) 284-6506 (fax) Associate Professor of Law | "Cyberspace" is not a place. U. Miami School of Law | froomkin@law.miami.edu P.O. Box 248087 | http://www.law.miami.edu/~froomkin Coral Gables, FL 33124 USA | It's @%#$%$# hot here.