Full Disclosure mailing list archives
Re: PGP vs. certificate from Verisign
From: yossarian <yossarian () planet nl>
Date: Sun, 11 May 2003 00:01:56 +0200
Jason wrote:
They do exist and have... http://crl.verisign.com/
Well, apparently this is a CRL list. Good. Then some question remains - would this server handle a few 100.000 concurrent requests getting a 666k or 118k file? Could this be a CDP for use of MS certs, or should they have built it themselves? The certs included where Verisign's, the cert did not include a CDP - don't think it was MS's responsibility. Other minor question: why does the RPA shout: YOU ARE SOLELY RESPONSIBLE FOR DECIDING WHETHER OR NOT TO RELY ON THE INFORMATION IN A CERTIFICATE.? (item3). The RPA also states that if my browser decides to check a CRL: As a Relying Party, (I will be) obligated to: (i) independently assess the appropriateness of the use of a Certificate for any given purpose and determine that the Certificate will, in fact, be used for an appropriate purpose; (ii) utilize the appropriate software and/or hardware to perform digital signature verification or other cryptographic operations you wish to perform, as a condition of relying on a Certificate in connection with each such operation. Such operations include identifying a Certificate Chain and verifying the digital signatures on all Certificates in the Certificate Chain. You agree that you will not rely on a Certificate unless these verification procedures are successful; (iii) check the status of a Certificate on which you wish to rely, as well as all the Certificates in its Certificate Chain. If any of the Certificates in the Certificate Chain have been revoked, you agree that that you will not rely on the end-user Subscriber Certificate or other revoked Certificate in the Certificate Chain; and (iv) rely on the Certificate, if all of the checks described in the previous paragraphs are successful, provided that reliance upon the Certificate is reasonable under the circumstances and in light of Section 3 of this Agreement. If the circumstances indicate a need for additional assurances, it is your responsibility to obtain such assurances for such reliance to be deemed reasonable. Well? How does one do that? And then this: You agree to release, indemnify, defend and hold harmless VeriSign and any non-VeriSign CAs or RAs, and any of their respective contractors, agents, employees, officers, directors, shareholders, affiliates and assigns from all liabilities, claims, damages, costs and expenses, including reasonable attorney's fees and expenses, of third parties relating to or arising out of (i) your failure to perform the obligations of a Relying Party, (ii) your reliance on a Certificate that is not reasonable under the circumstances, or (iii) your failure to check the status of a Certificate to determine if the Certificate is expired or revoked. When VeriSign is threatened with suit or sued by a third party, VeriSign may seek written assurances from you concerning your promise to indemnify VeriSign, your failure to provide those assurances may be considered by VeriSign to be a material breach of this Agreement. VeriSign shall have the right to participate in any defense by you of a third-party claim related to your use of any VeriSign services, with counsel of our choice at your own expense. You shall have sole responsibility to defend VeriSign against any claim, but you must receive VeriSign's prior written consent regarding any related settlement. The terms of this Section 11 will survive any termination or cancellation of this Agreement.
you have to read the CPS, know the liabilities, and then accept them IMHO.
As you can see, i have done this. Now I know the liabilities and my duties.... I do not accept them. To Kurt: Maybe there is no real new disclosure in this, but should full disclosure necessarily be new? We can't all know everything, and there are all too many people wanting to learn here - the original question that started the discussion was quite off topic so it had to evolve this way.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: PGP vs. certificate from Verisign, (continued)
- Re: PGP vs. certificate from Verisign yossarian (May 10)
- [OFFTOPIC] PGP vs. certificate from Verisign Kurt Seifried (May 10)
- Re: [OFFTOPIC] PGP vs. certificate from Verisign yossarian (May 10)
- Re: PGP vs. certificate from Verisign Jason (May 10)
- Re: PGP vs. certificate from Verisign Georgi Guninski (May 11)
- RE: PGP vs. certificate from Verisign Evans, TJ (BearingPoint) (May 09)
- Re: PGP vs. certificate from Verisign yossarian (May 09)
- Re: PGP vs. certificate from Verisign Jason (May 10)
- Re: PGP vs. certificate from Verisign yossarian (May 10)
- Re: PGP vs. certificate from Verisign Jason (May 10)
- Re: PGP vs. certificate from Verisign yossarian (May 10)
- Re: PGP vs. certificate from Verisign yossarian (May 09)
- Re: PGP vs. certificate from Verisign Shawn McMahon (May 11)
- Re: PGP vs. certificate from Verisign yossarian (May 12)
- Re: PGP vs. certificate from Verisign Shawn McMahon (May 12)