[3011] in cryptography@c2.net mail archive
Re: Pseudonymous S/MIME certs?
daemon@ATHENA.MIT.EDU (Arnold G. Reinhold)
Mon Jul 20 15:45:33 1998
In-Reply-To: <35B2DBC8.9286CC24@netscape.com>
Date: Mon, 20 Jul 1998 14:13:52 -0400
To: jsw@netscape.com (Jeff Weinstein), Enzo Michelangeli <em@who.net>
From: "Arnold G. Reinhold" <reinhold@world.std.com>
Cc: cryptography@c2.net
At 10:55 PM -0700 7/19/98, Jeff Weinstein wrote:
>You can get free certs from verisign with a 60-day lifetime. They
>are class 1, so the only information that is verified is the email
>address. They ask for lots of information on the enrollment page,
>but it is either optional or not verified.
>
> --Jeff
Verisign requires that you agree to a sea of legalese (over 100 pages) to
get even the 60 day trial cert. Worse, you are signing a blank check
because you also agree to whatever amendments they make. Here is an exerept
from their enrollemnt page:
>>>>
By submitting this Subscriber Agreement
(and certificate application) you are requesting that the IA issue a
Digital ID (certificate) to you and are expressing your agreement to the
terms of this Subscriber Agreement. VeriSign's Public Certification
Services are governed by VeriSign's Certification Practice Statement (the
"CPS") as amended from time to time, which is incorporated by reference
into this Subscriber
Agreement. The CPS is published on the Internet in VeriSign's repository at
https://www.verisign.com/repository and
ftp://ftp.verisign.com/repository/CPS and is available via E-mail from:
CPS-requests@verisign.com. Amendments to the CPS are also posted in
VeriSign's repository at https://www.verisign.com/repository/updates.
You agree to use the Digital ID (dertificate) and any related IA services
only in accordance with the CPS.
<<<<
In particular the CPS says (12.13):
>>>>
Certificates are the personal property of their respective IA. Certificates
issued by VeriSign CAs and
VeriSign subordinate CAs contain a copyright notice: "Copyright (c)1997
VeriSign, Inc., All Rights Reserved" or
"(c)97" in connection with VeriSign. Permission is hereby granted to
reproduce and distribute certificates on a
nonexclusive, royalty-free basis, provided that they are reproduced and
distributed in full, except that certificates shall not be published in any
publicly accessible repository or directory without the express written
permission of VeriSign. This restriction is intended, in part, to protect
the privacy of subscribers against unauthorized republication of their
certificates.
<<<<
I find this quite unacceptable.
Arnold Reinhold
Got Crypto? http://ciphersaber.gurus.com
