[Full-Disclosure] PGP vs. certificate from Verisign
yossarian at planet.nl
Sat May 10 23:01:56 BST 2003
> They do exist and have... http://crl.verisign.com/
Well, apparently this is a CRL list. Good. Then some question remains -
would this server handle a few 100.000 concurrent requests getting a 666k or
118k file? Could this be a CDP for use of MS certs, or should they have
built it themselves? The certs included where Verisign's, the cert did not
include a CDP - don't think it was MS's responsibility.
Other minor question: why does the RPA shout: YOU ARE SOLELY RESPONSIBLE FOR
DECIDING WHETHER OR NOT TO RELY ON THE INFORMATION IN A CERTIFICATE.?
(item3). The RPA also states that if my browser decides to check a CRL: As a
Relying Party, (I will be) obligated to:
(i) independently assess the appropriateness of the use of a
Certificate for any given purpose and determine that the Certificate will,
in fact, be used for an appropriate purpose;
(ii) utilize the appropriate software and/or hardware to perform
digital signature verification or other cryptographic operations you wish to
perform, as a condition of relying on a Certificate in connection with each
such operation. Such operations include identifying a Certificate Chain and
verifying the digital signatures on all Certificates in the Certificate
Chain. You agree that you will not rely on a Certificate unless these
verification procedures are successful;
(iii) check the status of a Certificate on which you wish to rely, as
well as all the Certificates in its Certificate Chain. If any of the
Certificates in the Certificate Chain have been revoked, you agree that that
you will not rely on the end-user Subscriber Certificate or other revoked
Certificate in the Certificate Chain; and
(iv) rely on the Certificate, if all of the checks described in the
previous paragraphs are successful, provided that reliance upon the
Certificate is reasonable under the circumstances and in light of Section 3
of this Agreement. If the circumstances indicate a need for additional
assurances, it is your responsibility to obtain such assurances for such
reliance to be deemed reasonable.
Well? How does one do that?
And then this:
You agree to release, indemnify, defend and hold harmless VeriSign and any
non-VeriSign CAs or RAs, and any of their respective contractors, agents,
employees, officers, directors, shareholders, affiliates and assigns from
all liabilities, claims, damages, costs and expenses, including reasonable
attorney's fees and expenses, of third parties relating to or arising out of
(i) your failure to perform the obligations of a Relying Party, (ii) your
reliance on a Certificate that is not reasonable under the circumstances, or
(iii) your failure to check the status of a Certificate to determine if the
Certificate is expired or revoked. When VeriSign is threatened with suit or
sued by a third party, VeriSign may seek written assurances from you
concerning your promise to indemnify VeriSign, your failure to provide those
assurances may be considered by VeriSign to be a material breach of this
Agreement. VeriSign shall have the right to participate in any defense by
you of a third-party claim related to your use of any VeriSign services,
with counsel of our choice at your own expense. You shall have sole
responsibility to defend VeriSign against any claim, but you must receive
VeriSign's prior written consent regarding any related settlement. The terms
of this Section 11 will survive any termination or cancellation of this
> you have to read the CPS, know the liabilities, and then accept them IMHO.
As you can see, i have done this. Now I know the liabilities and my
duties.... I do not accept them.
Maybe there is no real new disclosure in this, but should full disclosure
necessarily be new? We can't all know everything, and there are all too many
people wanting to learn here - the original question that started the
discussion was quite off topic so it had to evolve this way.
Full-Disclosure is hosted and sponsored by Secunia.