DigiCrime is now known as root@localhost

We have been issued several new "Digital ID" certificates from VeriSign. From now on when you receive electronic mail from you will know it is from DigiCrime or its Thief Scientist (or will you?). If you put any trust in Class 1 IDs from VeriSign, then you might believe it, because they issued Digital ID certificates that includes these email addresses. You should think of these as the certificates for our "local offices". We also have special purpose certificates that can be used to compromise users on SGI machines and Windows NT machines.

Here's what one of them looks like inside Netscape. The other ones can be found here.

Netscape window

This is of course potentially dangerous. On most UNIX machines, these email addresses are associated with privileged users or system administrators. If you received email from root@localhost telling you to call a certain phone number to receive your new password, you might be tempted to do so.

The major flaw stems from the fact that these email addresses are not unique. One claim made by VeriSign regarding digital IDs is:

A Class 1 Digital ID provides you with an unambiguous name and e-mail address.
BZZZT. Wrong answer. I could understand this claim if they made some effort to establish identity or use confirmation via email like the New York Times. Even then they would be vulnerable to other impersonation attacks, which raises a question about the value of such IDs. Note that the higher level IDs have mechanisms to more strongly identify individuals.

What makes this a matter of concern is that these email addresses carry a connotation of authority from their common usage, which may lead people to be tricked into doing something that compromises their security or privacy. If such certificates are misused, then they may actually erode security rather than enhance it. Luckily, DigiCrime has no evil intent.

While Andreessen may have the first digital ID from VeriSign, we may now have the first revoked certificate. As of May 5, some of them were not showing up in the data, which conflicted with the stated policy about not currently supporting revocation of Class 1 IDs. This would still not solve the original problem.

Now that they have been revoked, perhaps others with a less benign intent can recapture the ambiguous and potentially dangerous IDs. Moreover, there is apparently no mechanism for distributing certificate revocation lists to applications that might use them. Some of the IDs issued to us are still in the database, and we are not advertising these at this time. If you have Netscape 3.0 you can find them at the VeriSign query service, and also download these certificates.

I used to have more information here about what VeriSign published about these certificates, but I have removed it after receiving email from someone at VeriSign (or anyway, someone who sent me email with a return address of peter@verisign.com). The email mentions copyright issues, and suggested that publishing the content of the certificate may infringe on a copyright. Note however that the above Netscape view of the information in the certificate issued to me contains no copyright notice. I disagree with the claim on copyrights, and the email raises some interesting issues around such certificates. See this page for more discussion on this.

This space intentional left blank

DigiCrime is comically hosted by Southwest Cyberport.