Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
The Internet

Verisign Buyout of Thawte Consulting Challenged 80

andyr writes "Independent Online has a report that Entrust Technologies is challenging Verisign's buyout of Thawte consulting. Verisign is the world's largest SSL Certificate issuer, with 60% of the market, with Thawte the second-largest, with about 40%. Combined, they own 99% of the market. "
This discussion has been archived. No new comments can be posted.

Verisign Buyout of Thawte Consulting Challenged

Comments Filter:
  • by Anonymous Coward
    The Slashdot Address

    Four flames and seven firsts ago our fathers brought forth upon this site, a new slashdot, conceived in liberty, and dedicated to the proposition that all posts are created equal.

    Now we are engaged in a flamebait war, testing whether that thread, or any thread so conceived and so dedicated, can long endure. We are met on a great opensource arena of that war. We have come to dedicate a portion of that thread, as a first posting place for those trolls who here gave their posts that this site might live. It is altogether fitting and proper that we should do this.

    But in a larger sense, we cannot dedicate - we cannot consecrate - we cannot hallow - this site. The off-topic trolls, Moderated up and down, who struggled here, have consecrated it, far above our poor power to add or detract. The slashdot community will little note, nor long remember what we say here, but it can never forget what they did here. It is for us, the trolls, rather to be dedicated here to the unfinished work which they who fought here have thus far so nobly advanced.

    It is rather for us to be here dedicated to the great task remaining before us, that from these naked and petrified posts we take increased devotion to that cause for which they gave the last full measure of devotion; that we here highly resolve that these trolls shall not have posted in vain; that this slashdot, under Hemos, shall have a new birth of freedom, and that this moderation of the people, by the people, and for the people shall not perish from this site.

    .

    Trollmastah

  • a monopoly on key pair authorization seems orwellian to me.
    obvious, maybe, but I recently went with thawte for the very reason that they weren't verisign.
    this sucks, i hope the challenge sticks.
  • the FTC will step in against this buyout. One company controlling 99% of the marker for digital certificates would be a disaster. This is exactly what the anti-trust laws were set up to prevent.
  • I was wondering why it was taking so long for Thawte and Verisign to finish up. I was talking with Thawte just last week and they were acting like nothing happened.

    --patrick
  • Verisign is the world's largest SSL Certificate issuer, with 60% of the market, with Thawte the second-largest, with about 40%. Combined, they own 99% of the market
    After all those Microsoft Anti-trust stuff on /., I really expected this to be under a 'monopoly' headline.
    I don't have much experience with Certificates issued by verisign (I always sign my own ones) but I think it's a Bad Thing (tm) that one company owns 99% of whatever market you like. How is it possible that Versign is allowed to do this?
  • by Foogle ( 35117 )
    It's not like they'd have a monopoly on encryption. They offer a service that isn't really required. It's nice, sure, but when was the last time you saw anyone in the Open Source community use a certificate provider to sign their tarballs? There ways of signing something without using Verisign, no?

    -----------

    "You can't shake the Devil's hand and say you're only kidding."

  • ...In the market for personal digital certificates, at least, because Verisign and others don't offer any certificate beyond the self-attested-via-email (Got hotmail?) class 1 certs. The first CA that offers these for a reasonable price will be rolling in the dough.

    In the Site.Cert market, I've had excellent experiences with Entrust support and their certificates. Of course, Entrust Certs were signed by...Thawte...
  • It's sad that Public Key Cryptology, as it relates to the web, has become a way of distributing money from web authors to a single company. What do we get for our money when we get a CA certification? A token verification that we have a credit card in many cases. What does the critical certification prove in terms of a trust relationship? Zip. A signed cert doesn't mean I have a secure server that protects my subscriber's credit information, nor does it imply that I'm in any way honest. I like the PGP web of trust model, but I don't know how it could be implemented on the web. There ought to be someway to have PKI without big silly corp in charge.
  • by irix ( 22687 ) on Tuesday January 11, 2000 @11:16AM (#1382163) Journal
    Some interesting info on the relationship between Entrust and Thawte, and how this affects Entrust:

    http://www.entrust.com/investor/12_21_ 99.htm [entrust.com]

  • by beff ( 135968 ) on Tuesday January 11, 2000 @11:19AM (#1382164) Homepage
    Yes and No. Even if you sign your own tarballs, a user needs to verify that the key used to sign it was owned by you. Key databases are often used to verify ownership and seem to be relatively secure. However, for SSL transactions, a database lookup takes too long. Browsers depend on a key "tree" with a known valid root. With Verisign, you can buy a code signing key that is signed by the known, published, presumably secured, Verisign root (one version of which just expired, btw).

    As I understand it, both Verisign and Thawte (and a few others) have been in the industry long enough that almost all browsers come with a Verisign and a Thawte root certificate. When the browser wants to open an SSL transaction, it can verify the server's certificate by tracing it back to the known and presumed valid Verisign or Thawte certificate. No database lookup and no problem.

    Where the yes and no comes in is if the root is invalid or otherwise not recognized, the user can still proceed with the SSL session, she'll just get an error message about an untrusted certificate.

    I don't know how many other trusted root certificates normally ship with browsers these days. My copy of Netscape has 63, six of which are Verisign and four of which are Thawte.

  • by bobalu ( 1921 ) on Tuesday January 11, 2000 @11:24AM (#1382165)
    These guys are a huge scam. It's a ton of money for sending you a computed string. What they're supposed to do for server certs is actually check you out enough to know you are who you say you are. When I got my first server certificate I had to send all manner of info; tax stuff, corp. papers, etc. When I went to renew they asked me to send it all again! I said "Wait a minute, you know you I am and should have that already." She said "well no we don't." To which I said "Well, if you don't know who I am then by continuing to authorize the cert for the last year you were representing to the public that you Ok'd somebody you know nothing about, and your service is worthless at best and possibly fraudulent."

    And guess what? I didn't need to send all that info after all, as long as I paid the $725.

    What a great business!
  • While I don't think it's a good thing that Verisign is trying to corner the market, in fact it kind of scares me. BUT, why do we not generate our own? Good, they're trusted, THEY trust ME because *I* have a DUNS number. But the guy you hand your credit card to at the corner store may or may not, and he may or may not sell that information to some kid for crack money. I wish I could remember the article about why root CA and trusted authorities are going to have to go away eventually, I think it struck me as being Bruce Schneier but I couldn't find it in any Crypto-Gram's right away.
  • What real purpose do Verisign & Thawte serve?
    For correspondents with whom you have previously had contact, simply digitally signing a document gives high confidence that it comes from the same source as previous documents signed by the same key. Thus a 3rd party certificate serves no useful purpose for already established relationships.
    For first-time contacts, how much do 3rd party certificates really tell you about the certificate holder? Is a simple digital signature (without a cert) not just as reliable as letter with an unknown handwritted signature? (Or even more reliable as the digital signature also ensures that the document contents have not been changed since being signed)
  • a monopoly on key pair authorization seems orwellian to me.

    But it isn't a monopoly like the USPS. Any competitors are welcome to enter the market. Our capital market is pretty good--if your idea is sound, you should be able to get backing for it.

    If Thawte/Verisign start charging an arm and a leg, you'll see a hundred Entrusts pop up in months. Profit margin draws capital like sherry draws Ted Kennedy.

    Steve

  • by HP LoveJet ( 8592 ) on Tuesday January 11, 2000 @11:31AM (#1382169)
    There's a numerical formula used by economists (and the FTC if I recall correctly) to give a rough picture of the degree of monopoly or oligopoly in a given industry:

    Take the sum of the squares of market shares of the various competitors, and you will get a value ranging from 0 (for what amounts to perfect competition, i.e., a very large number of infinitesimal competitors) to 10,000 (for an absolute monopoly). If the figures in the story are true, then:

    Verisign = 60%
    Thawte = 39%
    Everyone else total = 1%

    So--

    OLD: 60^2 + 39^2 + negligible = 5121
    NEW: 99^2 + negligible = 9801

    Hmmm.....
  • "Four flames and seven firsts ago"

    Another funny one, thanks a bunch. I can't believe that the moderators think this isn't funny.
  • ...then I'm all ears. Or is that just scratching from his coffin? I just wished I was there when they auctioned off his humidor. Evil racist bastard or not, I bet he had some great cigars!

    p.s. For those of you who might not know, Frank Rizzo was the mayor of Philadelphia for many years, and not exactly a civil rights advocate.
  • by jd ( 1658 ) <imipakNO@SPAMyahoo.com> on Tuesday January 11, 2000 @11:31AM (#1382172) Homepage Journal
    Verisign own 60% of the market. Thawte own 40% of the market. 60% + 40% = 99%. Ok, who's using the Pentium 0.99999?

    Seriously, I doubt these figures are meaningful, anyway. Most certificates in use are probably for private intranets or extranets, and therefore rolled by the local sys admins. (Best way to keep a network private.)

    Even if you're talking about the markets which are open, you're talking about a very dynamic system. This isn't the PC market, which has largely stagnated at the hands of Macrospot, but a realm where fortunes are made and lost quicker than LinuxOne can say "IPO".

    The number of SSL-enabled web servers is still pitifully small. By now, most (if not all) servers should be delivering -everything- encrypted. If you only encrypt the stuff you don't want "the wrong people" to see, "the wrong people" know where to look. And international SSL is a pathetic 40-bits.

    If -every- web server delivered -every- web page in 128-bit encrypted form, or even 40-bit form, it would be almost impossible for sniffers to pick out the useful information, let alone break the encryption. They'd stand much more chance of just ending up with the local weather forecast or someone's prawn bookmarks. With no way of telling what was what, they'd have to break -every- packet to get -any- useful data. They'd die of old age before they'd get anywhere.

    Then, there's IPSec. For the same reason as above, IPSec could destroy the certificate market, as most IPSec implementations don't support X.509 as standard. A merger might create a giant with sufficient power to prevent IPSec becoming adopted, or it might be completely obliterated by the use of Total Encryption.

    In short, I don't see the buyout as a threat or a boon. It's an irrelevency, in a market that's made itself that way.

    (Besides, Thawte dumped Sioux, and some things can't be forgiven.)

  • It makes sense to me to have a single, reputable company/organization issue and sign certificates. Having a web of trust is forever as weak as the least trustworthy/ethical partner. At least this way, the very top level signee is a known, trustworthy market leader.
  • so what you are saying is that the new math is really old math?


    / k.d / earth trickle / Monkeys vs. Robots Films [xoom.com] /

  • by Anonymous Coward
    The biggest issue isn't that Verisign and Thawte hold 99% of the current market. I think the real issue is that they continue to be the default providers of certificates in the majority of web browsers. This gives the appearence of using Verisign and Thawte of being seemlessly integrated into the browser. Whereas, if another company wanted to enter into the CA market, it would have to encourage web users to add them into the SSL configuration of the web browser manually or upgrade to a web browser that already has an entry for the new CA. If, instead, a CA configuration could be added automatically via digitally signed updates to existing browsers then the ability for other companies to enter the CA market (even if it is presently 99% held by one company) would not be the issue it is today. Unfortantly, Netscape Corp. didn't put nearly enough thought into this factor when they purposed and implimented SSL.
  • by gorilla ( 36491 ) on Tuesday January 11, 2000 @11:43AM (#1382176)
    One problem is that Verisign & Thwate have a major advantage over any competitor in that the browsers contain CA records, while a competitor would not. This is the principle reason that Verisign has a bigger marketshare than Thwate, because VS's CA was in Navigator & MSIE earlier than Thwate's were.
  • by Lord Kano ( 13027 ) on Tuesday January 11, 2000 @11:44AM (#1382177) Homepage Journal
    He said 60% and "about 40%", for the dumb asses in the audience "about 40%" in this case means 39.x% where x is too trivial to calculate for this example. 60% + 39.x% = 99.x%.

    Jeez, do you people really not get it or are you just looking to pick nits?

    LK
  • Ah, but 39.5% + 59.5% == 99%. Since 39.5% is usually just rounded up to 40% as is 59.5% to 60%, you can see how 60% + 40% == 99%.
  • Market leader and trustworthy are not related. It may be that a market leader is trustworthy, but that is coincidental, not causal. If, for the sake of argument, we assume that RealNetworks is the market leader in streaming media (which may or may not be true, I don't have any stats on that market), does that make them trustworthy, despite their recent privacy boondoggle of surreptitiously collecting information about user activity?

    From my own experiences with VeriSign and Thawte (as limited as those experiences may have been up to this point), I certainly have not felt that I trusted VeriSign any more as a result of their market position. And, truthfully, I would tend to trust "centralized control" less than a more diverse marketplace, because the benefits of competition extend beyond simple pricing issues.

  • by konstant ( 63560 ) on Tuesday January 11, 2000 @11:53AM (#1382182)
    Having worked on crypto for some time, I've come to greatly admire Thawte for their careful identity authentication practices, which made a strong contrast with Verisign.

    Verisign certainly is large, and their root key is probably in more trusted stores than Verisign's, but not by much. Both, for example, are in the IE4/5 trusted store that comes with shipping windows. IE3 too, I believe. And Thawte will issue keypairs for no charge. Or at least, they used to.

    Verisign has made a practice of issueing "temporary" certificates containing arbitrary unverified data. True, the user cert is marked as temporary, and the key expires after I believe 40 days, but the marking is buried and 40 days is ample time to perpetrate a fraud on an unwary user. As a game, the members of my test team would send messages to each other "signed" by famous figures like Ghandi and President Clinton. Since the from header is trivial to forge, these mails looked like the real deal to a cursory inspection. You would have to have a medium-level understanding of crypto even to guess they might be fakes.

    Thawte has never allowed this sort of thing to go on. When I applied for my one and only Thawte keypair I had to submit a great deal of information about myself, all of which they verified over the course of a day. I understand Verisign's desire to promote their product, and certainly it must work because of their prominence, but playing fast and loose with authentication is a surefire way to get the whole crypto industry discredited in the eyes of the public.

    -konstant
    Yes! We are all individuals! I'm not!
  • Part of the web of trust is that you give less trust to people who are likely to violate your trust, or trust people who are likely to violate your trust.

    So as long as you make good decisions about whose keys you sign (and at what trust level) it should work.
  • Do you trust a bunch of suits out for profit, or
    do you trust someone, like say.. the EFF? I mean really.. go get OpenSSL and start your own CA.

    nuff said.
    pan
  • Sure, you can sign your own SSL certificates. I did this for the webmail server at my school. However, Netscape/IE/whatever browser you like doesn't ship with the root certificate for the Jesse Kovach Certification Authority, so the browser will complain that the certificate is unrecognized and ask "are you sure you want to connect? this may be insecure" or something to that effect. While most Slashdot readers would probably be smart enough to realize what is going on here and accept the customized certificate, some people will freak out and say "It says it's not going to be secure! They're going to steal my credit card number! Help!" So most sites get a certificate from someone who was able to get a root cert into Netscape. Also, IE 3 will not accept a certificate that is not signed by a root certificate that is in its database.

    Another reason that Entrust may be suing is because the certificates they issue are generated from a root belonging to Thawte. Thawte has offered this cross-signing service in the past, but Verisign/Thawte combined may not. This would put a big dent in the way Entrust does business.

  • by Ledge Kindred ( 82988 ) on Tuesday January 11, 2000 @12:18PM (#1382187)
    A lot of comments are asking "Why is this such a bad thing? If Verisign/Thawte just get too big and snooty, other competing companies will spring up and the market will regulate itself." Except that it doesn't work this way.

    What Thawte and Versign do isn't exactly related to the encryption part of SSL, it's related to the X.509 certificates of sites that implement SSL. A site can do SSL without a certificate signed by Thawte or Versign, but if the Certifying Authority that signed the certificate doesn't have its own signature in the lists of CAs maintained by the browsers (Netscape and MSIE include a list of CAs on the local machine when they get installed; I'm not sure how other browsers handle it.) then the browser will pop up some manner of error message when the site is contacted to the effect of "This site's certificate is signed by someone we don't know, do you want to continue?" It doesn't affect the server's ability to do SSL traffic - it can still do that - it only affects the browser's ability to verify that the certificate assigned to the site is who it says it is. (i.e. if you go to a site called www.mcdonalds.com to buy burgers over the 'net, you can look at the certificate to verify whether or not this is really the place that has the golden arches out front by the information in their certificate.)

    The problem here is that probably 95% of the people doing e-Commerce on the net today are going to balk at a purchase if ANY sort of message box that looks like an error box pops up. It doesn't matter if you explain to them that the message only means that the browser doesn't recognize the authority that signed the certificate and that traffic is still encrypted when you communicate with the server, like my mom, they're just going to see an error message and freak out and not want to to business there. (In addition, I've personally had problems with MSIE properly passing information from forms when connecting to a secure site before we get the valid certificate installed. With the "Push here to connect to our secure server" button, ID information we might want to pass across to the secure server seems to get vaporized or something in the process of the user clicking the "Ok, connect anyway" dialog.)

    So why can't some new, faster, better CA pop up and just start doing business? Because they're signature isn't in the tens of millions of copies of Netscape and MSIE that are already active on the internet. Why can't they just get their signature into the new version? They can, I suppose, although after looking into it from a developer's perspective, I've not been able to find out how one would go about doing this other than I suppose contacting Netscape/AOL or Microsoft directly and passing along various salespersons until you found the person who could tell you how you could pay to have your CA's signature put into the next version. It still doesn't help the millions of people who haven't upgraded yet and will still get that error message.

    Further, even if you could manage to get your signature into the new versions of the browsers, there's still the issue of what a CA is supposed to do. The CA exists to verify that the server is run by who it says it is. That means when you go to www.mcdonalds.com to buy burgers and check the certificate and it says "McDonald's, Inc." the CA had better have done its job and verified that the server is indeed being run by the golden arches people. If not, and the customer gets a load of rancid meat, I don't know what kind of liability comes into play, but in the U.S. anyway, someone's probably going to try to sue someone. It's hard to run the kind of services you need to be able to do this sort of thing reliably out of your living room, which means that the cost of entry is rather high. (This is completely ignoring the fact that most CA's I've dealt with lately just seem to accept any old thing you feel like faxing them with whatever letterhead you can throw together. As long as I have a Microsoft Word Form Letter Wizard that can put the McDonald's logo on my letterhead, I could probably get a certificate signed by one of the big CA's stating that I'm McDonald's, Inc.)

    So, the problem with this merger is that if you combine Thawte and Verisign, they not only have 99% of the market, but also they, or subsidiaries of those two companies, are most of the CA signatures included with the current version of your web browser. The monopoly is not only in the market share, but also in the fact that the browsers themselves limit the number and which companies are "allowed" entry into the business without generating error messages on the client machines.

    One solution would be to seperate out the encryption from the trust capabilities; i.e. don't make having a valid X.509 certificate on your site a prerequisite for doing encryption. Or at least program the browser differently so the error message just warns about an unsigned certificate but specifically states that encryption is still capable, you just can't verify that the site is run by who it says it is. Again, this still doesn't fix the problem of the millions of people using current or old versions of the browsers out there right now.

    I obviously feel very strongly about this issue.

    -=-=-=-=-

  • It's probably something like 59.6 and 39.8, which when rounded off equal 60 and 40 but when added equal 99.4 which rounds to 99.
  • Rounding to the nearest integer would do it:

    59.6% --> 60%
    39.6% --> 40%
    -------------
    99.2% --> 99%

    Anyway, unless the actual total really is 100%, people would leave 99% to indicate that there still are a few others out there.

    It's like scoring on standardized tests where they tell you you've beaten a certain percentage of other students taking the test. Their policy is never report 100%, even if you alone had the highest score in the nation.

  • I agree a not for profit organisation to do this would be great. Who though? It has to be someone people can trust otherwise it is worthless and no-one will use it. I agree EFF would be good but how many people other than real IT people know who EFF is much less trust them. This can't be done by just anyone. I am thinking someone like the UN should setup a division for it as they are recognised the world over and their name is generally trusted.
  • What the heck is the FTC and the DOJ up to? They get all hissy-pissy about microsoft giving its browser away with the OS, screaming monopoly the whole time, but when the two companies controlling 99% of the internet signing/verification business merge, they just sit back and watch from the bleachers? Where's Janet Reno when you REALLY need her...
    =======
    There was never a genius without a tincture of madness.
  • By now, most (if not all) servers should be delivering -everything- encrypted.

    While I agree with this statement in principle, in practise it's not going to happen anytime soon. I work for a web development/hosting agency in the UK, and am "in charge" of one of the websites we host (that's in charge in the sense that should anyone have a question of a technical nature regarding the site, it's me that they (should) come to).

    I was informed a few days ago by one of our sysadmins that the site is accounting for roughly 40% of the processor usage on the Sun server it's sharing with a few other sites. The secure server is only protecting half a dozen or so pages, totalling probably about 100-120K in size. There are a couple of CGIs, but they're both relatively simple. Were we to move the entire site over to SSL, I very much doubt that the server would be able to handle it adequately.

    If you only encrypt the stuff you don't want "the wrong people" to see, "the wrong people" know where to look.

    That, I agree with completely. Those of us who regard encryption as a good thing really ought to be encrypting as much as possible, even the emails that are literally just "Hi, how are you? Mail me back when you've got time!". If only more of my friends actually had the faintest idea how to use encryption, then I'd be able to (the one that's the most clued-up in this area, a sysadmin, is still "meaning to have a look at PGP when I get round to it"). More work needs to be done to integrate encryption seemlessly with email clients (and instant messengers? IRC?) before it will be adopted more widely.

    Cheers,

    Tim
  • A cert contains not only your pub key, but also information about how this key is to be used, what domain it exists in (i.e. who is the CA), and when is this key valid. You do need to have policies related to certificates, esp in business relationships. Certs also give you multiparty control (or at least CAs do) for certain certs like perhaps the ones with signing authority for purchases over $50,000. An existing trust relationship has nothing to do with how certs should be trusted. A certificate is itself a signed structure -- a plain digital signature can be easily forged via man in the middle attacks.


    The idea that you don't need certs to digital sign docs leads to numerous problems including forgery, using comprimised keys and other policy problems.

    (Or even more reliable as the digital signature also ensures that the document contents have not been changed since being signed)

    But suppose I intercept this transmission of this document -- I can can the contents and the signature because I can also corrupt your local store or the public key (or even intercept you access for the public key). Despite your previous trust relationship, I've changed the doc.

    In addition, this is an IETF standard.
  • Since the moderators have no sense of humor, please take the time to read The Slashdot Address [slashdot.org]. You will laugh, or at least smirk.

    (This is posted at plus-two to keep it from vanishing beneath your threshold anytime soon.)
    --

  • Also, concentration of power leads not only to abuse, but ease of takeover by the State. Then, normal business precautions suddenly become "Lie on X.509, go to jail", as Duncan Frissell has noted.
  • The most insightful and clearheaded person is no one other than a Microsoft employee... I have to say I like that a whole lot! :)
  • The most insightful and clearheaded person on Slashdot is no one other than a Microsoft employee... I have to say I like that a whole lot! :)
  • A monopoly on key pair authorization is not Orwellian.
    Orwellian means:
    "Of, relating to, or evocative of the works of George Orwell, especially the satirical novel 1984, which depicts a futuristic totalitarian state." (dictionary.com)
    Please do not refer to monopolistic business practices as Orwellian. They are not, and calling them such merely serves to erode the meaning of the term.
  • This is the danger of anti-trust law and the seemingly logical arguments that support those laws. I don't mean to say that you're wrong, because these issues are notoriously slippery, I mean to say that it is by no means this simple.

    Your argument is that there is a significant barrier to entry into the market and that competitors cannot easily begin to compete because of this barrier.

    My point would be that there is a significant barrier to entry into every market, otherwise I'd be in them all. Your related point that it would take a not trivial amount of money to begin competing also doesn't make sense, as if there is enough profit to be made then the appropriate investment is justified.

    My point is, that monopoly or no as a company's performance begins to suck then the money to be made will outweigh the cost of entry, otherwise its not worth entering the market at all.

    See Bionomics by Micheal Rothschild for where I get all my ideas.

    Hotnutz.com [hotnutz.com]
  • Wow, a meta-moderation end run.

    This is definitely the best use of karma bonus I have seen; thanks, Tau Zero, for giving me the opportunity to see such a beautiful piece of work, despite the misguided efforts of the moderators (and my own unfortunate tendency to threshold at 0).

  • Hmm. I agree that this leaves almost all the certificates directly certified by today's browsers in the hands of one company - not an ideal state of affairs....
    does anyone know what root certs Mozilla will be supplied with, when/if it gets to a stable release?
    --
  • But it isn't a monopoly like the USPS. Any competitors are welcome to enter the market. Our capital market is pretty good--if your idea is sound, you should be able to get backing for it.

    This is true only if there are no barriers to entry. But key pair authorization has a huge barrier to entry: you are essentially paying for the trust people have in the company, and trust begets more trust.

    It's the same reason why you won't have much hope starting your own general auction site: EBay is valuable precisely because lots of people use it already. The more people use it, the more valuable it is, and the more new users it will attract.

    -Erik
  • Win2K has IPSec. OpenBSD has IPsec. Theres code available for it. Solaris also has it. So Ipsec is there im sure.
  • Why COULDNT it be stopped?? It is most definately a monopoly. For example, the FTC/DOJ will not allow De Beers diamonds to operate directly in the united states because they own 90% of the diamond trade in the world. Whats the difference between 90% of the diamond trade and 99% of the signing trade??
    =======
    There was never a genius without a tincture of madness.
  • If this deal goes through, anyone not in the U.S. will see their bill for a server go from $0 to $1,000 and more. The cheapest server approved for use outside the U.S., by Verisign, was $1,000 when I last checked. The cheapest one approved by Thawte was $0 (Linux and Apache with SSL).

    Verisign and Thawte provide different choices for the SSL web servers you can use.

    Many banks will not allow a company to sell their products over the Internet unless the transaction is handled over an SSL connection.

    Therefore, if you are interested in e-commerce, and happen to be outside the U.S., I would be very worried about this development.

  • Would it be possible for Netscape and Microsoft to start putting "reserved for future use" certificates in their software? These would be certificates for which NS or MS has the private keys in a safe somewhere, and they can give the private keys to a new Certifying Authority when they open for business. That would bypass the problem where new CAs start with zero credibility because their certs aren't included with any browsers.

    Or have Netscape and Microsoft already thought of this? hmmm...

    OK, that wouldn't help the folks running Netscape 2.0, but it might prevent a nasty future monopoly...
    --
  • by Ledge Kindred ( 82988 ) on Tuesday January 11, 2000 @02:59PM (#1382212)
    "This is the danger of anti-trust law and the seemingly logical arguments that support those laws. I don't mean to say that you're wrong, because these issues are notoriously slippery, I mean to say that it is by no means this simple."

    I absolutely agree. I'm not even sure that I would say that a Verisign/Thawte merger *should* be considered a "monopoly", only that it would certainly, for *many* reasons, be "bad" for the industry.

    In fact, as I sort of skirted around in the previous comment, I don't even think the best solution to the problems that would certainly arise from a merger between these companies would be to disapprove the merger but to revamp the way secure communications happen over HTTP. As someone else pointed out in another comment somewhere, IPSec is something that might make the merger a moot point anyway, but I think the deployment timeframe for IPSec will prevent it from being a "total" solution for some years.

    "Your argument is that there is a significant barrier to entry into the market and that competitors cannot easily begin to compete because of this barrier."

    Not entirely, just that several barriers exist, two of which (the list of CAs that come with the browsers today and the relative cost and/or difficulty of becoming a company that people will trust to verify the identies of sites on the 'net) aren't even really related to a server's ability to do encryption. If it were just a matter of writing some new software, you've gotta admit the entry to the market would be a lot easier since all you'd need were some good programmers as opposed to trying to make some sort of "Relationship" between yourself and the browser makers and also the ability to accurately do identity verification.

    The biggest problem, as I see it, is that the way SSL happens, you HAVE to have a CA before your server can effectively do SSL, even though the signing of your certificate has nothing directly to do with the fact that your SSL server can do encrypted HTTP traffic.

    The fact that SSL server act the way they do causes lots of problems with a situation like this because you can't really "blame" Verisign or Thawte for making SSL happen the way it does - so is it their problem that you need to get a CA to sign your certificate before your browser will stop complaining about an invalid certificate? Does that mean you shouldn't let them merge? Isn't it Netscape's "fault" for designing SSL the way it is that you have to have a signed certificate to do SSL? Is the the browser's manufaturer's faults for not making the error messages more descriptive that a certificate signed by someone not in the built-in list of CAs has no bearing on the security of the connection?

    Every time I have to deal with setting up a new SSL server, it just reaffirms my conviction that the whole SSL thing just needs to be redesigned to avoid these issues to begin with. Have one part of the spec handle encrypted communications and another part entirely deal with the certificate/identity part of the issue. (I'm sure the reason it's done the way it's done is because Netscape believed that by now there would be so much encrypted commerce over the internet by now, between companies and individuals, that the X.509 certificate on the parts of both parties would be an invisible part of the situation to the point that you would simply go to a website and click "buy this" and the server would initiate some sort of secure connection to get *your* X.509 identity and handle all the commerce stuff invisibly, instead of the more-or-less invasive method of going to the secure server and filling out a bunch of HTML forms with your personal information that we're actually doing.)

    And besides, it would make me feel better if we didn't need the CAs to do SSL because I get so irked that they like to claim that they're a necessary part of doing secure communications over the Web, when that's such a misleading statement. And Verisign's the worst because they don't even do the part of the job they're supposed to do (identity verification) very well and still want to gouge you for hundreds of dollars to do it.

    -=-=-=-=-

  • Prodded by a curious /. reader in private mail (thanks Ganesh), I went and dug up the name of the formula--it's called the Herfindahl-Hirschman Index if anyone cares.
  • These are good!! Hey moderators...go to K-mart and get yourself a sense of humor!! These recent first posts should be archived. Maybe a new section for Off-topic, random humor is in order.

    "Evil...it's not just for Satan anymore" --Me
  • A monopoly on key pair authorization is not Orwellian.
    Orwellian means: "Of, relating to, or evocative of the works of George Orwell, especially the satirical novel 1984, which depicts a futuristic totalitarian state." (dictionary.com)
    Please do not refer to monopolistic business practices as Orwellian. They are not, and calling them such merely serves to erode the meaning of the term.


    This is absolutely evocative of said literature (and I should have said authetication, not authorization, excuse my vocab) - the key pair system exists, I believe, to protect our privacy, and a system in which one body as opposed to several potential ones, may hold the key to our ultimate communication encryption scares me - it is in conflict with notions such as 'choice' or 'free speech' - even if it is ultimately dealing with financial transactions for the most part. This is not a monopoly in your usual sense - this is specific to personal safety, and I don't care for the thought of there being a central authority in that regard. Disagree? That's your right - but it smacks of orwellian to this drooling moron.....
  • The story should have included a pointer to the original slashdot discussion [slashdot.org]

    Complain to antitrust@ftc.gov [mailto] and newcase.atr@usdoj.gov [mailto] (see http://www.usdoj.gov/atr/contact/newcase.htm [usdoj.gov] ). They do listen sometimes!

    --Neal

  • I use Netscape 3.04 instead of Netscape 4.X for technical reasons (unbearable bugs in Netscape 4.X). The Verisign CA in Netscape 3.04 (and earliest 4.X) expired Dec 31, 1999. I went to download a new CA certificate and found that none was available. An exchange of e-mail with tech support, after a couple rounds of trying to explain to them what I even wanted, their only excuse was "We only support Netscape 4, you should upgrade". AFAIC, if they "support" it, they should fix it (but they declined).

    I went to the Entrust [entrust.net] site to see if they might have a root CA certificate I could download. Bingo! They do!

    Now tell me why a big resourceful company like Verisign is totally unable to build a root CA certificate for Netscape 3.04 while a little puny company like Entrust has the resources to pull it off (and even earlier versions).

    And Verisign [verisign.com] can't even get their web site to work without having to type in the "www." while most places, including Entrust [entrust.net] and Slashdot [slashdot.org] can.
  • An alternative would be to cease including root CA certificates in browsers, and instead provide a place for people to install them.

    If course this will confuse the 99.9% clueless biomass that has infested the net these days.

    Slashdot should generate their own root CA certs and let us install them ourselves.
  • Where can we download a Jesse Kovach CA root certificate? You do support all browsers, right?

    Why isn't Entrust in at least the newest browsers?

    Really, the only root cert that comes in a browsers should be the browser maker's own, and then the browser maker would sign, using the private half of this cert, the CA certificates, which should be obtained dynamically via HTTP. Then new CAs can be added more readily.
  • The CA exists to verify that the server is run by who it says it is. That means when you go to www.mcdonalds.com to buy burgers and check the certificate and it says "McDonald's, Inc." the CA had better have done its job and verified that the server is indeed being run by the golden arches people. If not, and the customer gets a load of rancid meat, I don't know what kind of liability comes into play, but in the U.S. anyway, someone's probably going to try to sue someone.

    Rancid meat? That is a normal and successful purchase at McDonalds. ["Our pledge to you is at least one bandaid in every egg mcmuffin!"]

    Your other points are spot on. ;)
  • Am i missing something ? Or is the whole certificate issue a non-issue.

    I realise that the browsers require a certificate... any certificate (trusted or not) to connect to an SSL web server, but why ?

    Is it not just another protocol, encapsulating data that has been encrypted, and passing it straight to the server that passed your browser the encryption key ?

    My customers know that they are at my company because they have that URL in their browser location. If corporate identity on the web was going to be such and issue, why is the DNS system not plagued by encryption and certificates ?

    We should be demanding that browsers allow secure connections to any URL, not just those with a meaningless certificate !

    Somehow, ppl need to understand that the connection is encrypted and not the database at the other end.
    If the system storing the information is not secure, then you might as well not have had the secure connection in the first place.

    What am i trying to say ... yes the current certificate issuing / browser-bundling issue is dire, but it needn't be that way ! Just allow a secure connection and make sure you read a privacy statement of the sites policy on storing your sensitive information :)

  • by Anonymous Coward
    The biggest rpoblem with setting up a trusted Root Ca is the infrastructure you have to set up. There is a reason why only a few companies like Thwate and Verisign are tursted implicibly, as the measure of security needed for the Root CA is incredible. It's almost impossible for a new company to become a totally trusted Root CA, because of this level of security clearence. For example, Baltimore, who Aust has the Australian Govt Root CA policy and key pair must store the key pair on a computer which only three epople in the world know how to access, in a steel vault, with all employee allowed even to look at it to have Top Secret clearences. The reason is, imagine if the root CA was compromised. In a PKI setup, that is real bad news. Thence, If anyone thinks there will be compettion against Thwate/etc, sorry, isnt going to happen. There are huge barriers to entry into the market as I have outlined... as a Root CA, you MUST be trusted.
  • stop calling everything "buyouts" and "takeovers"

    when they are not.

    you are making it something that it isnt.

    when companies hand people have choices they are

    just being acquired.
  • Look again. The root cert is hidden but it's there. If tech support failed to mention you this, this doesn't bode well if you really need tech support...

    See my previous post [slashdot.org] for the root cert URL

  • Really, the only root cert that comes in a browsers should be the browser maker's own, and then the browser maker would sign, using the private half of this cert, the CA certificates, which should be obtained dynamically via HTTP. Then new CAs can be added more readily.

    The problem with this is that the browser producers key becomes a link in the security chain. At least CAs have a big incentive to keep there root keys very secure - their whole business depends upon it. Would you trust MS to keep their key for IE6 securely.

    Maybe someone like AOL/MS could afford to hire the expertise to check that they are doing things securily (whether they would bother is a different question), but would Opera, or any other potential competitor, have the resources to keep there keys in guarded safes in the way that the CAs do.

  • I am a sys mgr at a large college of 13,000 users. I had a simple idea. Let students and faculty be able to encrypt their e-mail to each other. Gee, should be simple, right? Well, I tried explaining PGP to them in docs, but it was too difficult. But their fave GUI mail clients all supported S/MIME as long as they had user certs. Real simple, we could hand out a user cert as we passed out the account ID and password (which requires user to present college ID to get).

    Due to the root CA crap, it's not easy. I thought maybe we could become our own internal CA and get one of the root CAs to sign our CA so it chained up and was recognized by browsers, but you wouldn't BELIEVE how much that costs. Even Thawte charged a fortune. $20,000 plus a dollar for each cert we'd sign.

    So I set up our own CA. I could embed our own root CA into all browsers we distribute. I also put the root CA [dtcc.edu] on our web server so people could chose to import it into their own browsers, but for whatever reason, IE 4.5 on a Mac does not have this ability. Plus you wouldn't believe how many people bitch about installing the root CA due to the dire messages some browsers put out about it, but these same people think nothing of granting a java applet permissions to "read/write files/settings" from some unknown site.

    It's a mess, and sometimes I think it's all a scam to make encryption for the masses to be too much of a pain in the ass to bother.

    Yes, verifying a server's identity is important for e-commerce situations, but if given the choice between encrypted traffic between two unverified points or unencrypted traffic between two unverified points (which is what almost all net traffic is anyway), marginal safety is better than no safety (as long as it doesn't lull you into a false sense of security).

    One goal of mine was to prevent a boss of mine from saying "get this slackers e-mail from his account or else be fired" in the future. Then I could say "it's all encrypted, sorry." (Thank *GOD* I've never been asked this in my 10 years as a net administrator here...yet)

  • One of the major problems is that these dig signatures and encryptions are not standard. one email client may support one while another doesn't.
    I've had to switch email clients many times, that gets kinda of frustrating. We need one encryption method that all clients support, for free. I do like the way Thawte has the "free" digital sig, and you can add your actual name to it with a little bit of verification. People will never use this stuff consistently unless it becomes a standard.

    Fook
  • I'd just like to say this:
    Certificate Authorities (CAs) *CANNOT* read your encrypted traffic, which seems to be what some people think. All they do is sign your PUBLIC key, the one available to everyone.
  • That would bypass the problem where new CAs start with zero credibility because their certs aren't included with any browsers. OTOH, these CAs would start out with, and continue with, zero credibility because their keys are compromised from day 0!

Opportunities are usually disguised as hard work, so most people don't recognize them.

Working...