Slashdot Mirror
Verisign Buyout of Thawte Consulting Challenged
andyr writes "Independent Online has a
report
that Entrust Technologies is
challenging Verisign's buyout of
Thawte consulting.
Verisign is the world's largest SSL Certificate issuer,
with 60% of the market, with Thawte the second-largest, with about 40%.
Combined, they own 99% of the market.
"
Four flames and seven firsts ago our fathers brought forth upon this site, a new slashdot, conceived in liberty, and dedicated to the proposition that all posts are created equal.
Now we are engaged in a flamebait war, testing whether that thread, or any thread so conceived and so dedicated, can long endure. We are met on a great opensource arena of that war. We have come to dedicate a portion of that thread, as a first posting place for those trolls who here gave their posts that this site might live. It is altogether fitting and proper that we should do this.
But in a larger sense, we cannot dedicate - we cannot consecrate - we cannot hallow - this site. The off-topic trolls, Moderated up and down, who struggled here, have consecrated it, far above our poor power to add or detract. The slashdot community will little note, nor long remember what we say here, but it can never forget what they did here. It is for us, the trolls, rather to be dedicated here to the unfinished work which they who fought here have thus far so nobly advanced.
It is rather for us to be here dedicated to the great task remaining before us, that from these naked and petrified posts we take increased devotion to that cause for which they gave the last full measure of devotion; that we here highly resolve that these trolls shall not have posted in vain; that this slashdot, under Hemos, shall have a new birth of freedom, and that this moderation of the people, by the people, and for the people shall not perish from this site.
.
Trollmastah
a monopoly on key pair authorization seems orwellian to me.
obvious, maybe, but I recently went with thawte for the very reason that they weren't verisign.
this sucks, i hope the challenge sticks.
the FTC will step in against this buyout. One company controlling 99% of the marker for digital certificates would be a disaster. This is exactly what the anti-trust laws were set up to prevent.
I was wondering why it was taking so long for Thawte and Verisign to finish up. I was talking with Thawte just last week and they were acting like nothing happened.
--patrick
--"Karma is justice without the satisfaction"
Verisign is the world's largest SSL Certificate issuer, with 60% of the market, with Thawte the second-largest, with about 40%. Combined, they own 99% of the market /., I really expected this to be under a 'monopoly' headline.
After all those Microsoft Anti-trust stuff on
I don't have much experience with Certificates issued by verisign (I always sign my own ones) but I think it's a Bad Thing (tm) that one company owns 99% of whatever market you like. How is it possible that Versign is allowed to do this?
--
If code was hard to write, it should be hard to read
-----------
"You can't shake the Devil's hand and say you're only kidding."
...In the market for personal digital certificates, at least, because Verisign and others don't offer any certificate beyond the self-attested-via-email (Got hotmail?) class 1 certs. The first CA that offers these for a reasonable price will be rolling in the dough.
In the Site.Cert market, I've had excellent experiences with Entrust support and their certificates. Of course, Entrust Certs were signed by...Thawte...
Returned Peace Corps IT Volunteer
It's sad that Public Key Cryptology, as it relates to the web, has become a way of distributing money from web authors to a single company. What do we get for our money when we get a CA certification? A token verification that we have a credit card in many cases. What does the critical certification prove in terms of a trust relationship? Zip. A signed cert doesn't mean I have a secure server that protects my subscriber's credit information, nor does it imply that I'm in any way honest. I like the PGP web of trust model, but I don't know how it could be implemented on the web. There ought to be someway to have PKI without big silly corp in charge.
Some interesting info on the relationship between Entrust and Thawte, and how this affects Entrust:
http://www.entrust.com/investor/12_21_ 99.htm
Do you even know anything about perl? -- AC Replying to Tom Christiansen post.
These guys are a huge scam. It's a ton of money for sending you a computed string. What they're supposed to do for server certs is actually check you out enough to know you are who you say you are. When I got my first server certificate I had to send all manner of info; tax stuff, corp. papers, etc. When I went to renew they asked me to send it all again! I said "Wait a minute, you know you I am and should have that already." She said "well no we don't." To which I said "Well, if you don't know who I am then by continuing to authorize the cert for the last year you were representing to the public that you Ok'd somebody you know nothing about, and your service is worthless at best and possibly fraudulent."
And guess what? I didn't need to send all that info after all, as long as I paid the $725.
What a great business!
The revolution will NOT be televised.
While I don't think it's a good thing that Verisign is trying to corner the market, in fact it kind of scares me. BUT, why do we not generate our own? Good, they're trusted, THEY trust ME because *I* have a DUNS number. But the guy you hand your credit card to at the corner store may or may not, and he may or may not sell that information to some kid for crack money. I wish I could remember the article about why root CA and trusted authorities are going to have to go away eventually, I think it struck me as being Bruce Schneier but I couldn't find it in any Crypto-Gram's right away.
I like music
What real purpose do Verisign & Thawte serve?
For correspondents with whom you have previously had contact, simply digitally signing a document gives high confidence that it comes from the same source as previous documents signed by the same key. Thus a 3rd party certificate serves no useful purpose for already established relationships.
For first-time contacts, how much do 3rd party certificates really tell you about the certificate holder? Is a simple digital signature (without a cert) not just as reliable as letter with an unknown handwritted signature? (Or even more reliable as the digital signature also ensures that the document contents have not been changed since being signed)
There's a numerical formula used by economists (and the FTC if I recall correctly) to give a rough picture of the degree of monopoly or oligopoly in a given industry:
Take the sum of the squares of market shares of the various competitors, and you will get a value ranging from 0 (for what amounts to perfect competition, i.e., a very large number of infinitesimal competitors) to 10,000 (for an absolute monopoly). If the figures in the story are true, then:
Verisign = 60%
Thawte = 39%
Everyone else total = 1%
So--
OLD: 60^2 + 39^2 + negligible = 5121
NEW: 99^2 + negligible = 9801
Hmmm.....
spawn_of_yog_sothoth
...then I'm all ears. Or is that just scratching from his coffin? I just wished I was there when they auctioned off his humidor. Evil racist bastard or not, I bet he had some great cigars!
p.s. For those of you who might not know, Frank Rizzo was the mayor of Philadelphia for many years, and not exactly a civil rights advocate.
The revolution will NOT be televised.
Seriously, I doubt these figures are meaningful, anyway. Most certificates in use are probably for private intranets or extranets, and therefore rolled by the local sys admins. (Best way to keep a network private.)
Even if you're talking about the markets which are open, you're talking about a very dynamic system. This isn't the PC market, which has largely stagnated at the hands of Macrospot, but a realm where fortunes are made and lost quicker than LinuxOne can say "IPO".
The number of SSL-enabled web servers is still pitifully small. By now, most (if not all) servers should be delivering -everything- encrypted. If you only encrypt the stuff you don't want "the wrong people" to see, "the wrong people" know where to look. And international SSL is a pathetic 40-bits.
If -every- web server delivered -every- web page in 128-bit encrypted form, or even 40-bit form, it would be almost impossible for sniffers to pick out the useful information, let alone break the encryption. They'd stand much more chance of just ending up with the local weather forecast or someone's prawn bookmarks. With no way of telling what was what, they'd have to break -every- packet to get -any- useful data. They'd die of old age before they'd get anywhere.
Then, there's IPSec. For the same reason as above, IPSec could destroy the certificate market, as most IPSec implementations don't support X.509 as standard. A merger might create a giant with sufficient power to prevent IPSec becoming adopted, or it might be completely obliterated by the use of Total Encryption.
In short, I don't see the buyout as a threat or a boon. It's an irrelevency, in a market that's made itself that way.
(Besides, Thawte dumped Sioux, and some things can't be forgiven.)
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
It makes sense to me to have a single, reputable company/organization issue and sign certificates. Having a web of trust is forever as weak as the least trustworthy/ethical partner. At least this way, the very top level signee is a known, trustworthy market leader.
/ k.d / earth trickle / Monkeys vs. Robots Films /
Large print giveth, and the small print taketh away
The biggest issue isn't that Verisign and Thawte hold 99% of the current market. I think the real issue is that they continue to be the default providers of certificates in the majority of web browsers. This gives the appearence of using Verisign and Thawte of being seemlessly integrated into the browser. Whereas, if another company wanted to enter into the CA market, it would have to encourage web users to add them into the SSL configuration of the web browser manually or upgrade to a web browser that already has an entry for the new CA. If, instead, a CA configuration could be added automatically via digitally signed updates to existing browsers then the ability for other companies to enter the CA market (even if it is presently 99% held by one company) would not be the issue it is today. Unfortantly, Netscape Corp. didn't put nearly enough thought into this factor when they purposed and implimented SSL.
He said 60% and "about 40%", for the dumb asses in the audience "about 40%" in this case means 39.x% where x is too trivial to calculate for this example. 60% + 39.x% = 99.x%.
Jeez, do you people really not get it or are you just looking to pick nits?
LK
"Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano
Ah, but 39.5% + 59.5% == 99%. Since 39.5% is usually just rounded up to 40% as is 59.5% to 60%, you can see how 60% + 40% == 99%.
From my own experiences with VeriSign and Thawte (as limited as those experiences may have been up to this point), I certainly have not felt that I trusted VeriSign any more as a result of their market position. And, truthfully, I would tend to trust "centralized control" less than a more diverse marketplace, because the benefits of competition extend beyond simple pricing issues.
No Laughing Allowed!
Right now we are buying our site license through thawte and I must say it is a pleasure to do business with them. There service is great and their price is right. I would hate to have to pay more to verisign just because the bought up thawte besides it scares me when one company grabs to much control over any one market. Then they get greedy and start charging customers outlandish prices (ie. microsoft). I say someone needs to stop this deal from going through. Thats just my two cents.
Nathaniel P. Wilkerson
NPS Internet Solutions, LLC
"Get your domain name for only $45"
Nathaniel P. Wilkerson
NPS Internet Solutions, LLC
Nathaniel P. Wilkerson
www.haidacarver.com
Having worked on crypto for some time, I've come to greatly admire Thawte for their careful identity authentication practices, which made a strong contrast with Verisign.
Verisign certainly is large, and their root key is probably in more trusted stores than Verisign's, but not by much. Both, for example, are in the IE4/5 trusted store that comes with shipping windows. IE3 too, I believe. And Thawte will issue keypairs for no charge. Or at least, they used to.
Verisign has made a practice of issueing "temporary" certificates containing arbitrary unverified data. True, the user cert is marked as temporary, and the key expires after I believe 40 days, but the marking is buried and 40 days is ample time to perpetrate a fraud on an unwary user. As a game, the members of my test team would send messages to each other "signed" by famous figures like Ghandi and President Clinton. Since the from header is trivial to forge, these mails looked like the real deal to a cursory inspection. You would have to have a medium-level understanding of crypto even to guess they might be fakes.
Thawte has never allowed this sort of thing to go on. When I applied for my one and only Thawte keypair I had to submit a great deal of information about myself, all of which they verified over the course of a day. I understand Verisign's desire to promote their product, and certainly it must work because of their prominence, but playing fast and loose with authentication is a surefire way to get the whole crypto industry discredited in the eyes of the public.
-konstant
Yes! We are all individuals! I'm not!
-konstant
Yes! We are all individuals! I'm not!
After reading the article I realize that apparently the numbers were rounded up. That makes sense because people often have trouble understanding accurate numbers and addition that makes sense.
It's just so much better that the numbers are rounded up so that the description of the article looks stupid. Accuracy would just be too darned hard.
Do you trust a bunch of suits out for profit, or
do you trust someone, like say.. the EFF? I mean really.. go get OpenSSL and start your own CA.
nuff said.
pan
I said no... but I missed and it came out yes.
What Thawte and Versign do isn't exactly related to the encryption part of SSL, it's related to the X.509 certificates of sites that implement SSL. A site can do SSL without a certificate signed by Thawte or Versign, but if the Certifying Authority that signed the certificate doesn't have its own signature in the lists of CAs maintained by the browsers (Netscape and MSIE include a list of CAs on the local machine when they get installed; I'm not sure how other browsers handle it.) then the browser will pop up some manner of error message when the site is contacted to the effect of "This site's certificate is signed by someone we don't know, do you want to continue?" It doesn't affect the server's ability to do SSL traffic - it can still do that - it only affects the browser's ability to verify that the certificate assigned to the site is who it says it is. (i.e. if you go to a site called www.mcdonalds.com to buy burgers over the 'net, you can look at the certificate to verify whether or not this is really the place that has the golden arches out front by the information in their certificate.)
The problem here is that probably 95% of the people doing e-Commerce on the net today are going to balk at a purchase if ANY sort of message box that looks like an error box pops up. It doesn't matter if you explain to them that the message only means that the browser doesn't recognize the authority that signed the certificate and that traffic is still encrypted when you communicate with the server, like my mom, they're just going to see an error message and freak out and not want to to business there. (In addition, I've personally had problems with MSIE properly passing information from forms when connecting to a secure site before we get the valid certificate installed. With the "Push here to connect to our secure server" button, ID information we might want to pass across to the secure server seems to get vaporized or something in the process of the user clicking the "Ok, connect anyway" dialog.)
So why can't some new, faster, better CA pop up and just start doing business? Because they're signature isn't in the tens of millions of copies of Netscape and MSIE that are already active on the internet. Why can't they just get their signature into the new version? They can, I suppose, although after looking into it from a developer's perspective, I've not been able to find out how one would go about doing this other than I suppose contacting Netscape/AOL or Microsoft directly and passing along various salespersons until you found the person who could tell you how you could pay to have your CA's signature put into the next version. It still doesn't help the millions of people who haven't upgraded yet and will still get that error message.
Further, even if you could manage to get your signature into the new versions of the browsers, there's still the issue of what a CA is supposed to do. The CA exists to verify that the server is run by who it says it is. That means when you go to www.mcdonalds.com to buy burgers and check the certificate and it says "McDonald's, Inc." the CA had better have done its job and verified that the server is indeed being run by the golden arches people. If not, and the customer gets a load of rancid meat, I don't know what kind of liability comes into play, but in the U.S. anyway, someone's probably going to try to sue someone. It's hard to run the kind of services you need to be able to do this sort of thing reliably out of your living room, which means that the cost of entry is rather high. (This is completely ignoring the fact that most CA's I've dealt with lately just seem to accept any old thing you feel like faxing them with whatever letterhead you can throw together. As long as I have a Microsoft Word Form Letter Wizard that can put the McDonald's logo on my letterhead, I could probably get a certificate signed by one of the big CA's stating that I'm McDonald's, Inc.)
So, the problem with this merger is that if you combine Thawte and Verisign, they not only have 99% of the market, but also they, or subsidiaries of those two companies, are most of the CA signatures included with the current version of your web browser. The monopoly is not only in the market share, but also in the fact that the browsers themselves limit the number and which companies are "allowed" entry into the business without generating error messages on the client machines.
One solution would be to seperate out the encryption from the trust capabilities; i.e. don't make having a valid X.509 certificate on your site a prerequisite for doing encryption. Or at least program the browser differently so the error message just warns about an unsigned certificate but specifically states that encryption is still capable, you just can't verify that the site is run by who it says it is. Again, this still doesn't fix the problem of the millions of people using current or old versions of the browsers out there right now.
I obviously feel very strongly about this issue.
-=-=-=-=-
-=-=-=-=-
My mom's going to kick you in the face!
It's probably something like 59.6 and 39.8, which when rounded off equal 60 and 40 but when added equal 99.4 which rounds to 99.
Rounding to the nearest integer would do it:
59.6% --> 60%
39.6% --> 40%
-------------
99.2% --> 99%
Anyway, unless the actual total really is 100%, people would leave 99% to indicate that there still are a few others out there.
It's like scoring on standardized tests where they tell you you've beaten a certain percentage of other students taking the test. Their policy is never report 100%, even if you alone had the highest score in the nation.
I agree a not for profit organisation to do this would be great. Who though? It has to be someone people can trust otherwise it is worthless and no-one will use it. I agree EFF would be good but how many people other than real IT people know who EFF is much less trust them. This can't be done by just anyone. I am thinking someone like the UN should setup a division for it as they are recognised the world over and their name is generally trusted.
"Patience is a virtue, afforded those with nothing better to do." - I don't remember
CA monopoly == escrow == 1984
What the heck is the FTC and the DOJ up to? They get all hissy-pissy about microsoft giving its browser away with the OS, screaming monopoly the whole time, but when the two companies controlling 99% of the internet signing/verification business merge, they just sit back and watch from the bleachers? Where's Janet Reno when you REALLY need her...
=======
There was never a genius without a tincture of madness.
The most insightful and clearheaded person is no one other than a Microsoft employee... I have to say I like that a whole lot! :)
The most insightful and clearheaded person on Slashdot is no one other than a Microsoft employee... I have to say I like that a whole lot! :)
A monopoly on key pair authorization is not Orwellian.
Orwellian means:
"Of, relating to, or evocative of the works of George Orwell, especially the satirical novel 1984, which depicts a futuristic totalitarian state." (dictionary.com)
Please do not refer to monopolistic business practices as Orwellian. They are not, and calling them such merely serves to erode the meaning of the term.
I've spoken to them myself - two investigators and one prosecutor. They're talking to a lot of people, apparently. If it can be stopped, it will be.
Verisign and Thawte provide different choices for the SSL web servers you can use.
Many banks will not allow a company to sell their products over the Internet unless the transaction is handled over an SSL connection.
Therefore, if you are interested in e-commerce, and happen to be outside the U.S., I would be very worried about this development.
This is very good. I own shares of Verisign. I hope they dominate the world. Kill all the other competitors. If you can't beat them, join them (buy their stocks)! ;)
Would it be possible for Netscape and Microsoft to start putting "reserved for future use" certificates in their software? These would be certificates for which NS or MS has the private keys in a safe somewhere, and they can give the private keys to a new Certifying Authority when they open for business. That would bypass the problem where new CAs start with zero credibility because their certs aren't included with any browsers.
Or have Netscape and Microsoft already thought of this? hmmm...
OK, that wouldn't help the folks running Netscape 2.0, but it might prevent a nasty future monopoly...
--
314-15-9265
I'm posting this as AC because my friend wants to keep this under his hat, but I'll watch the comments and reply where appropriate.
Complain to antitrust@ftc.gov and newcase.atr@usdoj.gov (see http://www.usdoj.gov/atr/contact/newcase.htm ). They do listen sometimes!
--Neal
--Neal
Go IETF!
I use Netscape 3.04 instead of Netscape 4.X for technical reasons (unbearable bugs in Netscape 4.X). The Verisign CA in Netscape 3.04 (and earliest 4.X) expired Dec 31, 1999. I went to download a new CA certificate and found that none was available. An exchange of e-mail with tech support, after a couple rounds of trying to explain to them what I even wanted, their only excuse was "We only support Netscape 4, you should upgrade". AFAIC, if they "support" it, they should fix it (but they declined).
I went to the Entrust site to see if they might have a root CA certificate I could download. Bingo! They do!
Now tell me why a big resourceful company like Verisign is totally unable to build a root CA certificate for Netscape 3.04 while a little puny company like Entrust has the resources to pull it off (and even earlier versions).
And Verisign can't even get their web site to work without having to type in the "www." while most places, including Entrust and Slashdot can.
now we need to go OSS in diesel cars
The CA exists to verify that the server is run by who it says it is. That means when you go to www.mcdonalds.com to buy burgers and check the certificate and it says "McDonald's, Inc." the CA had better have done its job and verified that the server is indeed being run by the golden arches people. If not, and the customer gets a load of rancid meat, I don't know what kind of liability comes into play, but in the U.S. anyway, someone's probably going to try to sue someone.
;)
Rancid meat? That is a normal and successful purchase at McDonalds. ["Our pledge to you is at least one bandaid in every egg mcmuffin!"]
Your other points are spot on.
"If one is really a superior person, the fact is likely to leak out without too much assistance" -- John Andrew Holmes
It's behind a room with a complicated mantrap to enter the normal way. However it has a nice huge window to the outside world at groud level once you're in their safe room.
I won't mention how the combo to the safe to kept in the room in plain sight.
Go to their Mountain View HQ and see for yourself. It's true.
stop calling everything "buyouts" and "takeovers"
when they are not.
you are making it something that it isnt.
when companies hand people have choices they are
just being acquired.
Due to the root CA crap, it's not easy. I thought maybe we could become our own internal CA and get one of the root CAs to sign our CA so it chained up and was recognized by browsers, but you wouldn't BELIEVE how much that costs. Even Thawte charged a fortune. $20,000 plus a dollar for each cert we'd sign.
So I set up our own CA. I could embed our own root CA into all browsers we distribute. I also put the root CA on our web server so people could chose to import it into their own browsers, but for whatever reason, IE 4.5 on a Mac does not have this ability. Plus you wouldn't believe how many people bitch about installing the root CA due to the dire messages some browsers put out about it, but these same people think nothing of granting a java applet permissions to "read/write files/settings" from some unknown site.
It's a mess, and sometimes I think it's all a scam to make encryption for the masses to be too much of a pain in the ass to bother.
Yes, verifying a server's identity is important for e-commerce situations, but if given the choice between encrypted traffic between two unverified points or unencrypted traffic between two unverified points (which is what almost all net traffic is anyway), marginal safety is better than no safety (as long as it doesn't lull you into a false sense of security).
One goal of mine was to prevent a boss of mine from saying "get this slackers e-mail from his account or else be fired" in the future. Then I could say "it's all encrypted, sorry." (Thank *GOD* I've never been asked this in my 10 years as a net administrator here...yet)
One of the major problems is that these dig signatures and encryptions are not standard. one email client may support one while another doesn't.
I've had to switch email clients many times, that gets kinda of frustrating. We need one encryption method that all clients support, for free. I do like the way Thawte has the "free" digital sig, and you can add your actual name to it with a little bit of verification. People will never use this stuff consistently unless it becomes a standard.
Fook
The price we pay for immortality... is death. Narnia The Great Fall