only for RuBoard - do not distribute or recompile |
VeriSign opened its Digital ID Center during the summer of 1996. Today VeriSign is the oldest and largest of the world's certification authorities. VeriSign sells certificates for personal use, servers, and code signing. The center is located at http://digitalid.verisign.com/. Its home page is shown in Figure 21-2.
VeriSign distributes digital certificates (called digital IDs by VeriSign) from its web site. These certificates are standard X.509 v3 public key certificates and can be used with a wide variety of programs, as shown in Table 21-1
Program | Purpose |
---|---|
Lotus Notes and Domino Server | Email encryption and digital certification; verify the identity of web users. |
Microsoft Internet Explorer | Verifying the identity of a person browsing a web site. |
Microsoft Outlook and Outlook Express | Emailing encryption and digital certification. |
Netscape Navigator | Email encryption and digital certification; verify the identity of a person browsing a web site. |
You decide if you wish to purchase a single Class 1 digital ID or if you wish to try a "Free 60-day trial edition" digital ID. VeriSign used to offer Class 1 certificates in "bulk" for distribution within an enterprise, but when this book went to press it appeared that this option had been discontinued.
You provide identifying information to establish who you claim to be. For a Class 1 digital ID in July 2001, VeriSign required:
First name or alias
Last name
Email address
A challenge phrase (i.e., a password) that is used to revoke, replace, renew or set preferences for the digital ID.[1]
[1] Please note the irony that VeriSign protects the security of its customers' digital IDs with a simple passphrase.
Billing information for your credit card (required even if you are purchasing the "Free 60-day trial edition").
If you are using Windows with Internet Explorer and 128-bit encryption, you will optionally be allowed to specify a cryptographic service provider that is used to generate and store your private key. Service providers supported include Microsoft's Base Cryptographic Provider, Microsoft's Enhanced Cryptographic Provider, Microsoft's Strong Cryptographic Provider, Gemplus GemSAFE Card, and Schlumberger Cryptographic Service Provider.
You will be asked if you wish to "Protect your private key." If you are using Internet Explorer and click this checkbox, you will be prompted to choose a security setting of high, medium, or low:
With this setting, your private key is encrypted and requires the use of a special password every time it is used.
With this setting, your private key is stored encrypted and you must enter your special password the first time that it is used in any browsing session.
With this setting, your private key is stored without any specific security procedures (although it may still be scrambled by the Windows login system).
You will be asked to read and accept the terms of this statement. (Note that the VeriSign certificate practices statement is a very long and dense legal agreement that almost nobody reads and that has changed from time to time.)
VeriSign will send you an email message. The email message contains a URL and a personal identification number (PIN). By copying the PIN from the email message and pasting it into the form contained on the URL that you are provided, VeriSign is able to verify that you can indeed receive email at the address that you provided.
VeriSign's web server will locate your digital ID and allow you to install it by pressing the INSTALL button (see Figure 21-3).
Evolution at VeriSignVeriSign's original plan was to offer several different levels or classes of digital IDs for the VeriSign Trust Network (VTN). The lowest levels would offer minimum security and certification, while the higher levels would allow businesses to place higher reliance on the security of the certificates. For the lowest level, Class 1, VeriSign would merely assure that the digital ID mapped to a valid email address. For the highest level, Class 4, an individual would have to appear in person before a VeriSign representative, and the private key would have to be stored in some sort of device that required biometric authentication before it could be used. (Class 4 certificates were publicly discussed, but never offered by the company.) Alas, VeriSign's grand scheme for digital IDs has not yet come to pass. Today VeriSign sells only a single ID, the Class 1 certificate. VeriSign's Class 1 certificate contains a person's name and email address. All recipients of the Class 1 certificate are listed on the company's public web site. The certificates also come with $1000 worth of VeriSign's "NetSure" insurance to protect "against economic loss caused by corruption, loss, or misuse of your digital ID," although it's really not clear what that means in practice. (VeriSign's representatives would not answer questions as to whether or not a claim had ever been made under the NetSure program.) It's interesting to see how VeriSign's Class 1 digital ID certificate program has evolved over the past six years. In 2001 VeriSign Class 1 digital IDs cost $14.95 each and are good for a year. Meanwhile, the VTN server certificates do not follow the class system at all. Instead, VeriSign sells the "Secure Site," "Secure Site Pro," "Commerce Site," and "Commerce Site Pro" certificates. |
Your digital ID is now installed. If you wish to view the ID, you can use Internet Explorer's Certificates panel to view the certificate, as shown in Figure 21-4.
|
VeriSign provides a system for looking up a digital ID by name, email, address, or serial number. The form is located at http://digitalid.verisign.com/query.htm, but you can also click on the home page of the VeriSign Digital ID Center. On that page you will find the following text:[2]
[2] As of autumn 2001.
Search our online database for anyone's Digital ID by entering the name, email address, or serial number and issuer name contained in the Digital ID, and clicking on the SEARCH button. If you cannot locate a Digital ID by email address or name, the owner of the Digital ID may have chosen to "unlist" it when setting Digital ID preferences. In order to find it, you will need to obtain the serial number and issuer name of the Digital ID from its owner.
You cannot use wildcard characters. By clicking the SEARCH button you accept the terms of our Relying Party Agreement.
This page states that looking up a user's digital ID in VeriSign's online database requires that you agree to be bound by VeriSign's Relying Party Agreement. This is sort of like a phone company requiring you to agree to a legal agreement before using the White Pages (which, in some cases, they do). Read the Relying Party Agreement for yourself; it is too long to print here in its entirety, but we have included the first paragraph:
YOU MUST READ THIS RELYING PARTY AGREEMENT BEFORE VALIDATING A DIGITAL IDSM ("CERTIFICATE") OR OTHERWISE ACCESSING OR USING VERISIGN'S DATABASE OF CERTIFICATE REVOCATIONS AND OTHER INFORMATION ("REPOSITORY"). IF YOU DO NOT AGREE TO THE TERMS OF THIS RELYING PARTY AGREEMENT, YOU ARE NOT AUTHORIZED TO USE VERISIGN'S REPOSITORY.
It's important to note several key points of this document:
VeriSign wants you to know that they do not warrant their digital IDs for fitness or accuracy. Furthermore, they disclaim all liability for negligence or for acting without unreasonable care.
Liability on certificates is limited per certificate, not per transaction. If a single certificate is used to defraud many people, the compensation that each receives may be quite limited.
VeriSign wants you to know that, even if they do everything right, it's still possible that a person's private key can be stolen or compromised and that, as a result, a digital signature on a document might be forged.
If you are still interested in finding Simson's Class 1 digital ID, you can click on the word "Find" on VeriSign's home page and then search for the email address simsong@acm.org.
When this book was written, such a search displayed two digital IDs:
Simson Garfinkel (Valid) simsong@acm.org Digital ID Class 1 - Client Authentication Full Service New Validity period from Jul-28-2001(GMT) to Jul-28-2002(GMT) Simson L Garfinkel (Expired) simsong@acm.org Digital ID Class 2 - Software Validation Validity period from Nov-06-1996(GMT) to Nov-06-1997(GMT)
VeriSign provides a system for revoking digital IDs issued to individuals. The system requires that you know a digital ID's serial number and the type of digital ID, and that you give a reason for the revocation. Some of the reasons VeriSign allows you to choose are:
Forgotten or lost password
Compromised private key
Per request of subscriber
Issuer update
Overwrote old key pair file and submitted new request
Corrupted key pair
Incorrect common name
Wrong size key pair
Information may be materially threatened or compromised
Material fact is known or reasonably believed to be false
Material certificate issuance prerequisite not satisfied or waived
CA's private key compromised[3]
[3] It may seem strange that VeriSign would allow users to revoke their digital IDs because they think that VeriSign's private key has been compromised. However, if a user really does think that VeriSign's private key has been compromised, then presumably that user would want to revoke his or her digital ID.
Per request of subscriber's agent
Faulty issuance
Replacement
VeriSign can also revoke digital IDs that it determines were issued fraudulently or for which the subscriber did not, in VeriSign's opinion, follow the terms of the VeriSign CPS. For example, in one case VeriSign revoked the digital ID of a programmer who, in VeriSign's opinion, did not follow the terms of the CPS and the Authenticode pledge (see Chapter 22).
only for RuBoard - do not distribute or recompile |