February 02, 2005
VeriSign and Conflicts of Interest
Adam and I have written to ICANN on the VeriSign conflict of interest. ICANN - the Internet numbers and names authority - are in the throes of awarding the top level domain (TLD) of .net to an operator. Currently VeriSign holds this contract, but we are concerned about their conflict of interest with their NetDiscovery service which facilitates intercepts for law enforcement.
Effectively, as a certificate authority (CA), they could be asked to issue false certificates in your name and eavesdrop on your communications. (More on this.) All legally of course, as per court order or subpoena, but the issue arises that they are now serving two masters - the company on whom the order is served, and you the user.
Not only is that a conflict of interest, but it is a complete breach in the spirit of the SSL's signed certificate security architecture. As each CA is meant to be trusted - by you - this means they need to avoid such conflicts.
Personally, I can't see any way out of this one. Either VeriSign gives up the certificate authority and TLD business, or its NetDiscovery business, or it's the end of any use of the word trust in the trusted third party concept.
I'd encourage you all to dive over to the ICANN site and file comments. VeriSign runs the domains, and issues half the net's secure certificates. It's also angling to be the net's intercept service. Enough is enough, let's spread these critical governance roles around a bit.
Posted by iang at February 2, 2005 06:15 PM
I don't think your scenario makes sense. You seem to think that CALEA will require Verisign and other CAs to deliver a false certificate to a targetted individual in order to allow eavesdropping on a secured connection. I am not aware of any such precedent or provision in the law. From what I can see, NetDiscovery is simply an service bureau that allows small ISPs to outsource the many administrative tasks involved in complying with CALEA. There is no indication that Verisign's certification services would be involved.
And if CALEA does in fact give law enforcement the power to compel a CA to perform such a fraud, any CA would have to respond to it, not just Verisign.
Considering that they are technically in possesion of all those stolen domain names, they are "in possesion of stolen property", a crime almost everywhere except around Washington. I notified my Congressman about a year and a half ago about the problems which can occur due to hijacking of domain names and the lack of effort to thwart this. Unfortunately, Joe Barton, now chairman of the House Commerce Committee, refuses to do anything against the wishes of big business. Most of his constituents can not get broadband Internet connections or even a phone line that will run 56K. But then Joe says he can't get DSL at home either. Rest assured he will do whatever VeriSign tells him to do.
For those conspiracy theorists out there:
The root name servers are probably right across the parking lot from the CIA facility in Reston. Probably on the same fiber loop which connects that facility, NRO, Warrenton Training Center, Quantico, and probably other spooks. The web site said about 18 total.
As for trust, words like honesty and trustworthy have different definitions close to the semantic black hole inside the Beltway.
just to clarify there - I have no idea whether CALEA will "require" or otherwise. What I'm referring to here is that VeriSign is now in the position of dealing with subpoenas from courts. We don't need a reference to law or precedent or CALEA as subpoenas are issued all the time, and they say what is required.
Now, there is a question as to what VeriSign will do when asked to intercept an SSL-secured session. It may say "this is not covered by CALEA" or it may not. In analysing this question, we have to look at the interests of Verisign.
The point of the letter to ICANN is that it has a _conflict of interest_ in decideding how to respond. For VeriSign, it is now representing two different parties, and this is a classic flaw in a governance model. We are not saying that Verisign shouldn't or should intercept, but that the end customer should be represented by an unbiased, disinterested and trusted third party who won't be placed in this conflict of interest.