On 5/19/05, Ian G <[EMAIL PROTECTED]> wrote: > On Thursday 19 May 2005 18:28, Ram A Moskovitz wrote: > > > On 5/18/05, Duane <[EMAIL PROTECTED]> wrote: > > > With the intercept and gag laws in the US as they are, Verisign or any > > > other certificate authority can be compelled to issue duplicate > > > certificates, > > > > This may be true, I'm not sure that it is. I suppose that a court > > order is generally compelling so this doesn't sound impossible. On the > > other hand if there is an easier way to do it that is presumably a > > greater concern. How hard would be be to get a CA with an easier > > authentication process to issue a cert for any domain name that you > > wish that would be trusted by Firefox, IE, and Opera? > > It depends on who is asking for the certificate. > > If it is the US government then it is probably > easier to ask Verisign.
I don't think it would be tougher for the US gov to get a certificate out of one US corp or another assuming they had legal grounds to do so and the employees saw no ethnical problem with doing so. If there is a difference I think it is the opposite of what you suggest. VeriSign can afford to fight requests it has problems with while a smaller company may find it much harder. There is a weak analogue available in the way ISPs are handling requests for their customer's information - of course the ISPs don't live by a repuation that depends on trust so they are not as motivated to avoid trust breaches. > > In any case I > > think you would go along with any legitimate request made by a > > legitimate government authority; I would. > I think Duane is in Australia. And so being an upstanding Australian citizen or resident I expect he "would go along with any legitimate request made by a legitimate government authority" _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
