Slashdot Mirror

← Back to Stories (view on slashdot.org)

Verisign to run National RFID Directory

Posted by CmdrTaco on from the we've-seen-this-before dept.

JamesD_UK writes "Verisign has been given the contract to develop a national RFID directory by EPCGlobal. Under the directory scheme each company will maintain an Object Name Service analogous to DNS with Verisign running the root server. Verisign has already setup the infrastructure at six different global sites."

37 of 194 comments (clear)

  1. lol... by REBloomfield · · Score: 4, Funny

    PeopleFinder is on it's way then :)

    'The person you are trying to find does not exist. Did you mean....'

    1. Re:lol... by Dilbert_ · · Score: 5, Insightful

      Heh, that means we'll soon get all-kinds-of-stuff.google.com ;-)
      Imagine entering a query to retrieve your car keys... the possibilities are endless.

      --
      superblog.org: all your favourite blogs on o
    2. Re:lol... by quigonn · · Score: 5, Insightful

      Yes, the possibilities are indeed endless. I'm wondering when the terrorists will catch up and build booby traps that only explodes when the RFID scanner attached to the booby trap detects an e.g. US-american citizen nearby (which wouldn't be too difficult to build, since the passports will have RFID tags, too). "RFID tagging supports terrorism"?!

      Or the criminals that check whether it's worth to rob out a bank or a store by using an RFID scanner that detects all banknotes and calculates how much money is in the cash register. "RFID tagging supports delinquency"?!

      --
      A monkey is doing the real work for me.
    3. Re:lol... by Lord+of+Ironhand · · Score: 5, Funny

      > Imagine entering a query to retrieve your car keys... the possibilities are endless.

      Indeed, why restrict yourself to your own car keys?

    4. Re:lol... by El_Muerte_TDS · · Score: 5, Funny
      Imagine entering a query to retrieve your car keys... the possibilities are endless.
      Imagine somebody else entering a query to retrieve your car keys... the possible locations of your car are endless.
    5. Re:lol... by Saeed+al-Sahaf · · Score: 3, Funny

      Yes, imagine waking up after way too much to drink way to late into the night... "where am I?" Just scan your self.

      --
      "Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
  2. And if you use one that does not exist... by Anonymous Coward · · Score: 5, Funny

    you get a nice Verisign advertisement.

  3. Verisign & code signing by BigHungryJoe · · Score: 5, Insightful

    Did anyone else run into trouble with Verisign using Microsoft's code signing last week? A bunch of Verisign's certs expired, which shouldn't have mattered if you were using the API correctly, but WinVerifyTrust() was blocking for minutes at a time. (I'm not sure why the certs belong to Verisign and not MS)

    The CryptoAPI mailing list was claiming that "verisign was running slow".

    Anyhow, if its true, I don't trust Verisign for to provide infrastructure for squat.

    1. Re:Verisign & code signing by BenBenBen · · Score: 5, Informative

      One of the grand-daddy certs expired. Screwed everything from websites to Norton Antivirus

      --
      The Slashdot Paradox: "100% Overrated"
    2. Re:Verisign & code signing by jrumney · · Score: 4, Informative
      Yes, but isn't it Microsoft's job to renew their certificate with Verisign?

      Microsoft's certificate wasn't expired. The problem stems from the fact that Verisign sign third party certificates with a certificate which has an expiry date (for safety, to limit the effects in the unlikely event that the private key is stolen from the secure facility it is kept in). The Verisign certificate is not part of the server certificate (otherwise people could make their own "Verisign" certs), it is distributed with tools and browsers etc.

      Now a few years ago, Verisign realised that one of their Root Certificates was about to reach the point where it would expire within the lifetime of the certificates they were issuing. The sensible thing to do would be to create a new Root Certificate, and start using that, but then everyone using existing browsers and other tools would need to install the new certificate to continue working smoothly. Instead, they decided to extend the expiry date of the existing certificate, and reissue it. This meant that existing tools could keep working for a while without installing new certificates, and as newer updates replaced them, the new certificates would filter through.

      The problem with this approach is that people became complacent and it was just delaying the problem. Some certificate stores ended up with both new and old certificates, and bugs in software (some MS software from what I've heard) meant that the old certificate was still being used, the new one was ignored. Other software (Java) continued being released with the old certificate and noone noticed until about a month ago. And then there's all the installations of Netscape Enterprise Server, Netscape 4.7, even IE 4 and 5.0 that are still out there with old certificates.

  4. Hey, Alright! by robpoe · · Score: 3, Insightful

    So, when you need to change something, or fix an error with your registered RFID tag, you can attempt to make the change via their web interface, then wait a week and a day, or you can call in and fax in the form and have someone never get anything done with it, too?? Then, right in the middle of it all, they'll switch out how things are done and you'll have to conform to their backward standards..

    --
    = Grow a brain...
  5. Great... by jasonfncsu · · Score: 5, Funny

    now verisign has the ability to erase me.

    Please remember me when I'm gone...

    --
    Jason Faulkner
    Old Os Administrator
    jason@oldos.org
    oldos.
    1. Re:Great... by nacturation · · Score: 3, Funny

      now verisign has the ability to erase me.

      Please remember me when I'm gone...

      Don't worry... you're still in the Google cache, although you haven't been spidered since you were 11 years old.

      --
      Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
  6. In other news.... by nuclear305 · · Score: 5, Funny

    The ./ community has released an update to patch this "issue."

    Simply wear the provided tinfoil hat to nullroute this new service.

  7. Renewal fees by vpscolo · · Score: 5, Insightful

    Just wait until the implement wildcard RFID als site seeker and start charging $70 a year to renew a tag. It wouldn't surprise me a bit

    Rus

    --
    CPanel + Root from $35/mo - 10% off with discount code SLASHDOT
  8. what about UPC? by Mazzie · · Score: 3, Insightful

    Found it very odd that they didn't mention UPC even once in the article. Wouldn't it make sense to have support for UPC while EPC is phased in over time?

    --
    Having a bookmark to Google does not make you an expert on everything.
  9. CueCat vs. EPC Directory? by WebTurtle · · Score: 3, Interesting

    It seems that this is just a slightly different implementation of an old idea. The only really interesting thing is that they are searching for RFIDs using the same redundancy as DNS.

    What are the similarities between CueCat and the EPC Directory project? It seems to me that the only difference is the scale of the implementation.

    Is that accurate?

    --
    ------- "One of the joys of travel is visiting new towns and meeting new people." -- G. KHAN
    1. Re:CueCat vs. EPC Directory? by Tackhead · · Score: 3, Funny
      > What are the similarities between CueCat and the EPC Directory project? It seems to me that the only difference is the scale of the implementation.

      CueCat: Privacy-intrusive, shaped like a dildo so you could go fuck yourself with it, and run by a useless bloody looney who was first against the wall when the last tech revolution ended.

      VeriSign: Privacy-intrusive, is useful only for telling you as a customer to go fuck yourself, and run by a load of useless bloody looneys who will be first against the wall when the next tech revolution starts.

      So in answer to your question... really not much difference at all.

      Q: How can you tell your sysadmin's got a Verisign rep on the phone?
      A: You hear someone screaming "YOU STUPID FUCING COCKSUCKERS!" into a phone every ten seconds, from six cubicles away.

  10. Too much control by one company? by wongqc · · Score: 5, Insightful

    Mabbe it's juz me....but I am extremely uncomfortable of them running both the RFID database, and the DNS database. Too much control by one company.....I would prefer it's runned by a non-profit org. But I don't really like the idea of RFID in the first place.

  11. Choice of Verisign is very misguided by Anonymous Coward · · Score: 4, Insightful

    For at least two reasons, choosing Verisign for this project is as bad a choice as picking SCO to safeguard free/open-source software -- a direct analogy, not just because SCO is flavor of the month.

    Not only do they lack the technical competence to do it properly and flexibly, but they also lack the professional integrity to be doing this work. It is a company that rejoices in its commercially-led myopia, at every opportunity making the "wrong" decisions on the basis of perceived market benefits to itself alone.

    This is going to end in tears.

    1. Re:Choice of Verisign is very misguided by polyp2000 · · Score: 4, Insightful

      Sometimes I wonder who makes these illogical decisions. Certainly not people who have a clue about what they are doing , thats for sure. Why are there not more savvy people in higer places?

      --
      Electronic Music Made Using Linux http://soundcloud.com/polyp
    2. Re:Choice of Verisign is very misguided by jaaron · · Score: 3, Insightful

      Why are there not more savvy people in higher places?

      Because savvy people avoid the temptation of higher places. They're happy coding, studying, exploring, inventing, and recognize that getting involved would mean sacrificing much, if not all, of that. There are some "savvy" individuals who feel driven enough to put aside personal pleasures and take up a cause, but often they feel that in the end, it's not worth it. Let the idiots who crave power, fame, wealth or whatever waste their lives in petty politics and schemes. The savvy are often savvy enough to just not play those games.

      That's not to say it's morally right or wrong to get involved. It's a choice about how one wishes to live life and contribute. But you'll often know a good leader by the one who turns down the offer. I'm in an organization right now in which the current leader is stepping down and finding a new one is hard. Everyone who is truly qualified doesn't really want the responsibility or trouble. A savvy individual who is willing to play the game of "higher places" is rare indeed.

      --
      Who said Freedom was Fair?
  12. Thats nice. by torpor · · Score: 5, Insightful

    But we should have an open, public, maintainable database which is -not- under the exclusive domain of Verisign for these things.

    I can think of plenty of private uses of RFID which I would not want Verisign to be involved in, in the slightest.

    --
    ; -- the corruption of government starts with its secrets. a truly free people keep no secrets. --
    1. Re:Thats nice. by ajs · · Score: 3, Interesting

      I always assumed that Verisign was a US government front company. I guess this makes it pretty clear.

      Think of it this way, if you were in the FBI, advising the White House about upcoming threats to domestic security, what would you say about a growing global network of computers that it's pretty clear all business will rely on within the next 100 years? Would you advise that the government find a way to have a controling hand close to the heart of such a beast? Would you allow the military to give up control of such a thing whithout maintaining some sort of back-door power?

      It's not so much about conspiracy, as about the way you manage resources. Verisign has either been involved in or bought the companies involved in the technologies most likely to scare the government (PGP, DNS, RFID, being a CA). This combination of interests and amazingly lucrative and monopolistic contract awards is fairly damning.

      To jump back to topic, adding in RFID means that whoever has access to Verisign now has access to a giant database of what amount to tracer bugs planted (soon) in most of the items that you buy. Just think of the harm caused by the most obvious uses....

      I really think that a national database of RFIDs should not be allowed. We should have a national allocation scheme like we do with Ethernet cards, based on industry standardization, but NEVER a database of final numbers.

  13. Verisign and RFID by Pompatus · · Score: 4, Funny

    all in one story is not quite enough for a flamewar. If they were running this new service on SCO licensed servers donated by Microsoft in order to find oil on Mars, THEN you would have a story.

    --

    ----
    Squirrel ... It's not just for breakfast anymore
  14. ASN.1 vulnerabilities? by winchester · · Score: 3, Insightful

    Given the fact that this sounds like a directory in X.500 or LDAP format, which are both extremely vulnerable to ASN.1 vulnerabilities, hackers will have a field day exploiting this directory.

    Also, since ASN. is very non-trivial to program, it will be interesting to see how many programmers will be able to use this succesfully... i am referring to the ASP.NET generation :-)

  15. Verisign is not so bad by markov_chain · · Score: 3, Funny

    Imagine the outburst on here if FBI was to run directory!

    --
    Tsunami -- You can't bring a good wave down!
  16. Surprised? by Raven42rac · · Score: 3, Insightful

    Is anyone actually surprised by this? I was just as shocked when Oracle's Larry Ellison said that he would help set up the National I.D. card database. These companies are just profiting from stealing away what little chunks of our privacy we have left, after congress and the government have taken their share. I guess that in this economy they will do anything to survive. Sad.
    </conspiracy theories>

    --
    I hate sigs.
  17. As much as I hate VeriSign... by Shoten · · Score: 4, Informative

    I have to say that they've proven that they're a good choice for this. Keep in mind what the #1 priority is for maintaining TLDs, particularly the big ones (.com, .net, .org) that Network Solutions/VeriSign handled for most of their lives. VeriSign's idiocy and abuse with regards to non-existent domain handling and misleading 'renewal' notices are despicable for sure, but while all that was going on, they also kept things up and running quite well, even weathering out the largest DDoS on record without going down.

    --

    For your security, this post has been encrypted with ROT-13, twice.
  18. ObjectID spoofing, here we come! by Craig+Ringer · · Score: 4, Insightful

    Just think what fun you could have with cache poisoning.

  19. So let me get this straight... by TygerFish · · Score: 5, Insightful

    The company that thought trying to swindle *everyone* who didn't know the market price of domain registration by sending out pseudo-bills is the company that the Gov'mint thinks is worthy of keeping tabs on, well, on everything?

    Okay, I got it.

    I understand the future: no company will be entrusted with sensitive, and potentially vital security work unless they combine incompetence with malfeasance.

    Lovely...

    --
    To mail me, remove the 'mailno' from my email addy.
    "Yeah. It smells, too..."
  20. New Verisign Ad Slogan by lww · · Score: 3, Funny

    We put the 'F' in RFID...

  21. Write to EPC, my letter is here: by kidMike · · Score: 5, Insightful

    Please write to Jack Grasso, Director of Public Relations, at mailto:jgrasso@uc-council.org.

    My letter is below:
    (hpoe my facts are mostly accurate)

    Good morning Mr. Grasso -

    I am writing this morning to express my extreme dismay at the selection of VeriSign to run this RFID registry. As a professional in the technology field, I have dealt with VeriSign on many occasions, and have decided that I never will again, if at all possible. VeriSign has a history of putting the company first before all else, including privacy, not a great attribute for someone who will organize a system to track millions of things and people.

    VeriSign has engaged in deceptive business practices, for example the "fake" invoices they sent out to clients of competing registrars, giving the false impression that the client had to pay VeriSign in order to renew their domain (VeriSign lost many lawsuits over this deceptive practice, and the FTC even got involved).

    VeriSign most recently used the monopoly position on maintaining the .COM and .NET "Top-Level Domains" to bring web surfers that made a typo in a URL to a VeriSign-owned search engine, which sold advertising to other companies and promoted specific search results based upon their paid advertisers. In the process, the technological changes they made to do this caused the malfunction of millions of programs, primarily many anti-SPAM utilities.

    In all these cases, VeriSign acted greedily to further the company's aims over what's good for the people who must use the services that VeriSign administers. Their track record of deception and the world-renowned sluggishness with which their company operates should be a red flag for anyone who understands the types of technology involved and the effects that VeriSign's moves has had on the Internet.

    Please consider some additional viewpoints. There is a website known as SlashDot, located at http://slashdot.org, which has one of the largest user bases of any web site. Most of the users are tech workers, and the discussions on SlashDot are some of the most intelligent discussions I have ever read. A discussion on your organization's decision is in progress right now. Please read it at http://slashdot.org/article.pl?sid=04/01/13/125721 2&mode=thread&tid=158&tid=99

    And please pass along to your management the unhappiness this move has brought to the vast majority of the people who actually understand what your technology does, what it is capable of, and the ways it can be abused.

    Thank you for your time.

    --
    -- You can't drink all day. (Unless you start in the morning...)
  22. In other news... by gekkotron · · Score: 3, Funny

    Verisign is considering a name change to 'Skynet'.

  23. Re:Credit for This Idea by geoffspear · · Score: 3, Funny

    I bet you were worried when they started putting barcodes on everything in the grocery stores, too.

    --
    Don't blame me; I'm never given mod points.
  24. My worst fear has come to life by Klowner · · Score: 3, Funny

    I can see it now. I'm shopping in wal-mart (Clearly this is a dream sequence)

    After browsing around for a few minutes, I walk out the doors without purchasing anything.

    BOOM! Two sets of doors slam open, and out comes ItemFinder "Service" Bot ! Scooting towards me at nearly 35mph, knocking me down with his huge spiked arms.

    [IFBot] I AM SORRY THAT YOU WERE UNABLE TO FIND THE ITEM YOU WERE SEEKING!!!
    *** IFBot picks me up and throws me back into the store
    [IFBot] PERHAPS THESE ITEMS ARE WHAT YOU WERE LOOKING FOR!!!

    ...damn you item finder bot

  25. How EPC works by jan+de+bont · · Score: 3, Insightful
    1) Read an RFID tag, get an EPC.
    2) EPC is 96 bits: Header, company, product, serial #
    4) Extract "company" bits (exact length set by header flags). Make a lookup call to root ONS server. It will return IP address of "company"'s ONS server.
    5) Extract "product" and "serial", call company's server for information on that instance of that product

    Note that steps 4-6 are likely to be buried off in a single API call that accepts the whole EPC as an argument... and that (local) caching likely means that step 4 is often skipped. Caching can also help step 5, mostly when were only interested in product and not serial... but I digress from the point.

    Further note that Verisign is only involved at "Company bits -> IP address of company's ONS" in step 4. No other involvment from Versign... so lots of scenarios suggsted above are just BS. Verisign either answers the query; or not.

    If they attempt to "squat" like they did on unused domains, they can only do so on unused COMPANY codes (more like TLDs than unused domains)... and why would a real world RFID tag ever have an unused company code?

    As for perverting any deeper information about that product or that instance... they are not involved in those calls... no can do.

    Jan