[801] in WWW Security List Archive
Re: SSL, X509 Certificates and EuroSign
daemon@ATHENA.MIT.EDU (Michael Markowitz)
Tue Aug 1 19:44:33 1995
Date: Tue, 01 Aug 1995 14:21:52 +0000
From: mjmarkowitz@attmail.com (Michael Markowitz)
To: JohnHemming@mkn.co.uk (John Hemming (Chief Executive MarketNet )),
www-security@ns2.rutgers.edu
Cc: lemorton@attmail.com (Leven E Morton),
rschlafly@attmail.com (Roger Schlafly)
Errors-To: owner-www-security@ns2.rutgers.edu
John Hemming (Chief Executive, MarketNet) wrote:
>Should RSA really sit at the top of commercial CAs so that
>no-one can become a CA without their permission?
It's probably worse than it appears, John. According to paragraph 2.2 of the
"VeriSign Commerce Server Legal Agreement" (or "VeriSign Secure Server
Hierarchy Agreement"), the "Customer shall use the enclosed Digital ID only in
conjunction with RSA software." Since "RSA Software" is defined as "Software
licensed from RSA Data Security, Inc. or licensees of RSA..." we read this as
implying that you CANNOT fit into their CA hierarchy (or even use their root
certificate?) unless you've licensed your crypto code directly from RSADSI.
(AT&T/ISC is the only other "licensed" supplier of linkable RSA code of which
I'm aware--and our code cannot be freely exported.)
I'd like to see an legal analysis of paragraph 2.2 in relation to US
anti-trust statutes (there appear to be some laws against setting up a
wholely-owned subsidiary to create a monopoly for your primary business that
might apply here, I think). How it effects you is almost as interesting.
Assuming RSADSI public key code also cannot be exported (there's got to be a
limit to what even they can do, doesn't there?), how are you going to become a
licensee?
Cheers.
-mjm
-----------
Michael J. Markowitz, VP R&D
Information Security Corp.
Deerfield, IL 60015
