Thawte Protects The World From Crypto

nutsaq writes: "Thawte.com, a South African Certificate Authority, in a move of astonishing wrong-headedness, has inexplicably changed it's developer certificate policy. To quote from the site: 'Due to current world circumstances developer certificates can no longer be issued to individuals.'Sucks to be working with crypto these days. Apparently I'll get no help from Thawte to encrypt stuff, oh wait, I didn't need it, the browsers did."

Thawte responds:

[Domini]

I e-mailed them and got this response from Jeanne Fourie:

Dear Marius

Thank you for emailing me with regard to your concern. Due to the current
international threat of terrorism we have been advised by
our parent company VeriSign to refrain from issuing developer certs to
individuals, for the mean while.

As you will be aware, there is a need right now for companies like ourselves to be
extremely cautious in all aspects that concern
security and encryption.

Developer certs are issued to individuals based on verification of passports and
drivers licenses. These documents are however easily
forged and we have therefore had to take the executive decision of not issuing
certs where the verification process may be
questionable.

We are positive that we will be able to resume this service in the near future. I
do apologize for any inconvenience that this may have
caused you.

Regards

Jeanne

As can be seen it seems to be Verisign who requested this....

Hmm...

Re:What difference does this make in the long run?

[gregor_b_dramkin]

Thanks for opening up your skull and letting us peek at the cavern inside. I normally wouldn't reply to flamebait such as yours, but I'll make an exception in this case to try to stem the flow of ignorance that pours from your keyboard.

1)
Script kiddies do not break ciphers. They do not find exploits. They do not reverse engineer systems. If they could do any of these things, they would not fall under the derogatory category, "script kiddie".

2)
Pick any of the following algorithms and break it: IDEA, 3DES, RSA, DH. I guarantee you will be famous, at least within security/cryptography circles. These are algorithms that have been scrutinized for decades by professors and professionals. I don't think a 12 year old could break these, except in a movie.

3)
SDMI (I assume this is what you mean by SDMA), was a copyright protection system not an encryption system. Anyone who believes they can create a secure, stand-alone, software copyright protection scheme is either ignorant or a genius. Given the ratio of ignorance to genius in the world, I know how I'll bet.

4)
The reason so many crypto systems are broken usually falls into one of two categories
a) The developers think they can design a system just as strong as the professionals who have devoted their lives to making and breaking ciphers.
b) The designers were forced to use limited strength crippto due to stupid crypto laws.

Incidentally, the DVD CSS system was broken by the combination of government-mandated 40 bit key length, and a home-made algorithm that reduced the effective keylength to around 30 bits. This makes it possible for an attack to be completed in seconds. FWIW, a 40 bit key search takes 1024 times longer than a 30 bit key search.

Make your own developer certs

[KlomDark]

It's amazingly easy. Get OpenSSL, install it...

Make your homebrew CA private key:

openssl genrsa -des3 -out ca.key 1024

Create your CA self-signed public key:

openssl req -new -x509 -days 365 -key ca.key -out ca.crt

OK, you're set up as a homebrew Certificate Authority (CA) and ready to start signing your own home-brew certs:

First, create a homebrew private key:

openssl genrsa -des3 -out server.key 1024

Create the unsigned public key (AKA certificate signing request) At one point in the process, it asks for "Your Name" - if this is for personal identification, then put in your name. However, if this is for a development web server, then put in the web site address "dev.www.wherever.com" when it asks for "Your Name"

openssl req -new -key server.key -out server.csr

Get the sign.sh script from the Apache mod_ssl distribution, use this to sign the certificate:

./sign.sh server.csr

There you go, you now have the private (server.key) and public (server.crt) keys. Install them on your webserver.

They will work, but your browser will whine about them being signed by an untrusted source. No problem there, give a copy of CA.crt (NOT CA.key!!) to any developers using your web server and have them install it on their machine, from then on, their browser will consider any certs signed by your homebrew CA key to be valid. To install the cert on IE browsers, a hint: you do not use your browser to do it, even though there is an "Install Cert" button on the window that pops up to let you know that the cert is signed by an unknown CA. Instead, you give them CA.crt, have them save it to their hard drive, then open up Windows Explorer, right click on CA.crt, and pick Install Cert from the menu, a Certificate Wizard will pop up, go with the defaults, then your machine will trust the homebrew certs.

The root certificate game has always been just a money scam, especially for dev certs.

Re:Make your own developer certs

[Vapula]

Distributing a CA cert under Netscape is very easy.

You just have to use the little CGI that follows...

#!/usr/bin/perl -Tw use strict; $|++; open(FP, "); close(FP); my $len = length($cert); print "Content-type: application/x-x509-ca-cert\r\n"; print "Content-length: $len\r\n"; print "\r\n"; print $cert;

A link to that CGI with the mention "install the certificate into my Netscape" and you're done. (I don't know if it works with MSIE... I never use it !!!)