VeriSign and Conflicts of Interest

[iang@xxxxxxxxxxxxx]

Dear Dr Twomey,


As security professionals, we are concerned about one of the bidders
for the operation of the .net TLD.

VeriSign, Inc. have a severe and unreconciliable conflict of interest
between the proper, secure operation of a TLD, and other substantial
business activity in which they are engaged.    In particular, given
their ability to add or change records to a TLD, they may choose to
break DNS in order to enhance the ability of their "NetDiscovery"
wiretapping service to break the security afforded by SSL to users.
We suggest that Verisign not be granted any further TLD contracts
until such time as they have divested NetDiscovery.

The remainder of this letter outlines the conflict of interest.

As well as TLD and DNS services, Verisign operates a certificate
authority business that caters for about 42% of the Internet's secure
web servers and other systems secured by SSL [1].  It is presumed
by its customers that Verisign is a trusted issuer.  It is further
presumed that the company has a fiduciary duty to protect each and
every customer's interests.

Yet, Verisign also operates a 'Lawful Intercept' service called
NetDiscovery [2].  This service is provided to "... [assist]
government agencies with lawful interception and subpoena requests
for subscriber records [3]."

We believe that under such a service, VeriSign could be required
to issue false certificates, ones _unauthorised_ by the nominal
owner.  Such certificates could be employed in an attack on the
user's traffic via the DNS services now under question.  Further,
the design of the SSL browser system includes a 'root list' of
trusted issuers, and a breach of _any_ of these means that the
protection afforded by SSL can now be bypassed.

We do not intend to pass comment on the legal issues surrounding
such intercepts. Rather, we wish to draw your attention to the fact
that VeriSign now operates under a conflict of interest.  VeriSign
serves both the users of certificates as customers, and also the (legal)
interceptors of same.  The certificate owner loses in this battle
due to straightforward economics, and is thus no longer represented.

The cryptographers and security architects who designed the SSL
system in 1994 and 1995 envisaged the issuer of certificates to
be _trusted by the certificate owner_.  This development represents
the antithesis of this security requirement.

We therefore suggest that, for the security of the Internet,
VeriSign not be charged with operating services that might
bring it into conflict with the security requirements of the
SSL browsing system.  We believe that TLDs should be operated
by companies without conflicts of interest, and further that
they should be charged with avoiding conflicts of interest
as a condition of their contract.

An operator that has no conflict of interest can be expect to more
clearly consider the user's interests.  The ideal we should strive
for is that the users can be allowed to take their grievance to the
courts of the land.

Under the current unsatisfactory situation, it is likely that users
are denied even their day in court.  This we believe to be contrary
to the principles of good and open governance, as well as a gross
violation of human and corporate rights.


Ian Grigg                                 Financial Cryptographer
Adam Shostack                             Security Entrepreneur



[1] http://www.securityspace.com/s_survey/sdata/200412/certca.html
[2] 
http://www.verisign.com/products-services/communications-services/connectivity-and-interoperability-services/calea-compliance/page_CS_CIS_NETDISCOVERY.html
[3] ibid.