I don't think your scenario makes sense. You seem to think that CALEA will require Verisign and other CAs to deliver a false certificate to a targetted individual in order to allow eavesdropping on a secured connection. I am not aware of any such precedent or provision in the law. From what I can see, NetDiscovery is simply an service bureau that allows small ISPs to outsource the many administrative tasks involved in complying with CALEA. There is no indication that Verisign's certification services would be involved.
And if CALEA does in fact give law enforcement the power to compel a CA to perform such a fraud, any CA would have to respond to it, not just Verisign.
Posted by Cypherpunk at February 3, 2005 03:08 PMConsidering that they are technically in possesion of all those stolen domain names, they are "in possesion of stolen property", a crime almost everywhere except around Washington. I notified my Congressman about a year and a half ago about the problems which can occur due to hijacking of domain names and the lack of effort to thwart this. Unfortunately, Joe Barton, now chairman of the House Commerce Committee, refuses to do anything against the wishes of big business. Most of his constituents can not get broadband Internet connections or even a phone line that will run 56K. But then Joe says he can't get DSL at home either. Rest assured he will do whatever VeriSign tells him to do.
For those conspiracy theorists out there:
The root name servers are probably right across the parking lot from the CIA facility in Reston. Probably on the same fiber loop which connects that facility, NRO, Warrenton Training Center, Quantico, and probably other spooks. The web site said about 18 total.
As for trust, words like honesty and trustworthy have different definitions close to the semantic black hole inside the Beltway.
-- crypto@ovillatx.sytes.net
Posted by Irk at February 6, 2005 01:10 PMCypherpunk,
just to clarify there - I have no idea whether CALEA will "require" or otherwise. What I'm referring to here is that VeriSign is now in the position of dealing with subpoenas from courts. We don't need a reference to law or precedent or CALEA as subpoenas are issued all the time, and they say what is required.
Now, there is a question as to what VeriSign will do when asked to intercept an SSL-secured session. It may say "this is not covered by CALEA" or it may not. In analysing this question, we have to look at the interests of Verisign.
The point of the letter to ICANN is that it has a _conflict of interest_ in decideding how to respond. For VeriSign, it is now representing two different parties, and this is a classic flaw in a governance model. We are not saying that Verisign shouldn't or should intercept, but that the end customer should be represented by an unbiased, disinterested and trusted third party who won't be placed in this conflict of interest.
Posted by Iang at February 6, 2005 01:19 PM