VeriSign and Conflicts of Interest
Dear Dr Twomey, As security professionals, we are concerned about one of the bidders for the operation of the .net TLD. VeriSign, Inc. have a severe and unreconciliable conflict of interest between the proper, secure operation of a TLD, and other substantial business activity in which they are engaged. In particular, given their ability to add or change records to a TLD, they may choose to break DNS in order to enhance the ability of their "NetDiscovery" wiretapping service to break the security afforded by SSL to users. We suggest that Verisign not be granted any further TLD contracts until such time as they have divested NetDiscovery. The remainder of this letter outlines the conflict of interest. As well as TLD and DNS services, Verisign operates a certificate authority business that caters for about 42% of the Internet's secure web servers and other systems secured by SSL . It is presumed by its customers that Verisign is a trusted issuer. It is further presumed that the company has a fiduciary duty to protect each and every customer's interests. Yet, Verisign also operates a 'Lawful Intercept' service called NetDiscovery . This service is provided to "... [assist] government agencies with lawful interception and subpoena requests for subscriber records ." We believe that under such a service, VeriSign could be required to issue false certificates, ones _unauthorised_ by the nominal owner. Such certificates could be employed in an attack on the user's traffic via the DNS services now under question. Further, the design of the SSL browser system includes a 'root list' of trusted issuers, and a breach of _any_ of these means that the protection afforded by SSL can now be bypassed. We do not intend to pass comment on the legal issues surrounding such intercepts. Rather, we wish to draw your attention to the fact that VeriSign now operates under a conflict of interest. VeriSign serves both the users of certificates as customers, and also the (legal) interceptors of same. The certificate owner loses in this battle due to straightforward economics, and is thus no longer represented. The cryptographers and security architects who designed the SSL system in 1994 and 1995 envisaged the issuer of certificates to be _trusted by the certificate owner_. This development represents the antithesis of this security requirement. We therefore suggest that, for the security of the Internet, VeriSign not be charged with operating services that might bring it into conflict with the security requirements of the SSL browsing system. We believe that TLDs should be operated by companies without conflicts of interest, and further that they should be charged with avoiding conflicts of interest as a condition of their contract. An operator that has no conflict of interest can be expect to more clearly consider the user's interests. The ideal we should strive for is that the users can be allowed to take their grievance to the courts of the land. Under the current unsatisfactory situation, it is likely that users are denied even their day in court. This we believe to be contrary to the principles of good and open governance, as well as a gross violation of human and corporate rights. Ian Grigg Financial Cryptographer Adam Shostack Security Entrepreneur  http://www.securityspace.com/s_survey/sdata/200412/certca.html  http://www.verisign.com/products-services/communications-services/connectivity-and-interoperability-services/calea-compliance/page_CS_CIS_NETDISCOVERY.html  ibid.