RE: Unknown private verisign extension

Fri, 26 Nov 1999 01:04:18 -0800 

After a series of exchanges with Verisign, I was told that the ... ".1.6.3
OID extension contains country, zip, date of birth, and gender. This data is
masked to prevent misuse or abuse by third parties." (You can voluntarily
provide the information when requesting a cert.)  I was told that I'd have
to contact my sales rep and enter some sort of non-disclosure agreement to
learn how to unmask the data. The designated sales rep has not responded.

Has anyone cracked the masking?

Bill Price

> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, November 24, 1999 4:20 AM
> To: [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]
> Subject: Re: Unknown private verisign extension
>
>
> [cc'd to PKIX for comment]
>
> [EMAIL PROTECTED] writes:
>
> >Included below is a exchange of E-Mails with verisign support. I recently
> >obtained a versign cert and found an undocumented private
> verisign extension
> >in it. It is obvious that I want to know what information is
> stored in that
> >extension. Verisign fails to give an sufficient answer.
>
> I've been trying to find out what 2.16.840.1.113733.1.6.3 and
> 2.16.840.1.113733.1.6.6 are, as well as what the policy qualifiers
> 2 16 840 1 113733 1 7 1 1 1 and 2 16 840 1 113733 1 7 1 1 2 mean,
> for some
> time now, but noone at Verisign will tell you.
>
> This leads to an interesting question: What are the semantics for
> these things?
> As far as anyone knows, the .1 policy could be "By using this
> certificate you
> agree to take full responsibility for any misuse of this certificate,
> regardless of what the CPS says" (which would be perfectly valid,
> since it's a
> policy qualifier), .2 might be "In the event of any dispute,
> Verisign is always
> right", .3 contains a copy of your private key encrypted with
> _NSAKEY :-), and
> who knows what .6 is.  Since the point of a CPS is that both the
> end entity and
> relying party can read it and know what they're getting, wouldn't
> the use of
> unpublished qualifiers and extensions which can modify the CPS destroy any
> possibility of reliance on the certs which contain them?
>
> Peter.
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to