VeriSign received permission to issue VeriSign's Global Server ID digital
server certificates to several, fairly broad categories of users located in
any of the 44 listed countries. This permission was granted under the BXA's
recently-issued license exception "ENC".
This same license exception is available for most crypto products; C2Net
recently received an "ENC" export license for our Stronghold web server.
Stronghold is made outside the US, so it's available worldwide even the
export license, but we had to get a license for it so VeriSign could be
allowed to issue GSID certs to sites running Stronghold.
GSID certs were announced last year by VeriSign and Netscape. Microsoft
quickly followed with their equivalent "Server Gated Crypto". These systems
use special certs to switch regular 40-bit "export grade" browsers into
128-bit mode. (Obviously, the browsers must be designed to recognize the
certs and must have 128-bit code built in. All Netscape and MSFT "export"
browsers released since early last year have this facility.)
Web sites wishing to conduct secure e-commerce with non-US based customers
are the primary audience for the GSID certs. Companies can also use GSID
certs on intranet servers to provide secure access from their non-US sites.
The beauty of the system is that it's already built into most of the
browsers currently in use around the world, so it's completely transparent
for the end user. VeriSign has a real lock on this; the problem for
competitive CA's is that the system requires a corresponding root cert be
installed in the browser. VeriSign's have been distributed with the
browsers for over a year now. In theory, a user could install a new root
cert upon visiting a site for the first time, but few e-commerce sites are
interested in putting off potential customers with such a procedure. For
this reason, VeriSign can get away with charging $895 per year for GSID
certs as opposed to $349 for regular certs.
The downside of the GSID scheme is that the certs expire annually, and
companies who rely on them are at the mercy of whatever rule changes might
be made in the future (mandatory escrow of the private key for the GSID
cert comes to mind). The GSID certs are hopefully a temporary "solution"
and it would be best to discourage anyone from relying on them too much.
C2Net's SafePassage Web Proxy is an alternative solution, but it must be
downloaded and installed by the end user. Fortify is another solution,
basically a patcher that "upgrades" export-grade Netscape browsers to run
128-bit crypto but it likewise requires active effort by the end user.
Ultimately, widespread use of Cryptozilla or other full-strength browsers
is the best solution.
At 02:50 PM 3/11/99 -0500, Richard D. Murad wrote:
Does anybody know if any "strings" were attached to this?
Rick Murad
At 07:02 PM 3/10/99 -0500, Robert Hettinga wrote:
At 2:00 PM -0500 on 3/10/99, [EMAIL PROTECTED] wrote:
Title: VeriSign OK'd for strong-crypto exports
Resource Type: News Article
Date: March 8, 1999, 12:10 p.m. PT
Source: CNET News.com
Author: Bloomberg News
Keywords: EXPORT CONTROL ,ENCRYPTION ,SOFTWARE,GOVT APPROVAL
Abstract/Summary:
VeriSign, a top maker of encryption software that keeps online
transactions secure, said it was given approval by the government
to sell strong versions of its software outside the United States,
sending its shares to a record high.
VeriSignsaid the Commerce Department's Bureau of Export
Administration gave approval for it to sell 128-bit data
encryption technology to overseas subsidiaries of U.S. companies,
online merchants, and health-care and insurance organizations.
Original URL: http://www.news.com/News/Item/0,4,33447,00.html?pfv
Added: Tue Mar 0 9:0:0 22:2 1999
Contributed by: Keeffee
-
Robert A. Hettinga mailto: [EMAIL PROTECTED]
Philodox Financial Technology Evangelism http://www.philodox.com/
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
--
Steve Cook e-mail: [EMAIL PROTECTED]
C2Net Software, Inc. http://www.c2.net/
1440 Broadway, Suite 700fax: 510-986-8777
Oakland, CA 94612 USA tel: 510-986-8770 Ext. 312