ICANN Email Archives: [net-rfp-verisign]
See also http://www.financialcryptography.com/mt/archives/000332.html
...Verisign also operates a 'Lawful Intercept' service called
NetDiscovery [2]. This service is provided to "... [assist]
government agencies with lawful interception and subpoena requests
for subscriber records [3]."We believe that under such a service, VeriSign could be required
to issue false certificates, ones _unauthorised_ by the nominal
owner. Such certificates could be employed in an attack on the
user's traffic via the DNS services now under question. Further,
the design of the SSL browser system includes a 'root list' of
trusted issuers, and a breach of _any_ of these means that the
protection afforded by SSL can now be bypassed......
The cryptographers and security architects who designed the SSL system in 1994 and 1995 envisaged the issuer of certificates to be _trusted by the certificate owner_. This development represents the antithesis of this security requirement.
Leave a comment