Thawte Bought by Verisign 123
ChrisKnight was of the many people that wrote with the story on news.com that VeriSign has purchased Thatwe Consulting. Purchase price was reportedly $575 million, although the deal must still be approved.
Re:hello monopoly (Score:1)
AFAICT, there is no crypto in Mozilla due to the international nature of the dev. effort. There is a separate crypto project, and no doubt Netscape will add a crypto module if the Mozilla product becomes Navigator 5.0. No crypto => no CA. For Netscape > 4.5 there are some Verisign CA certs that expire in 1999, but some are good to 2028, so it depends on your host's cert (which may expire).
Re:Darn! (Score:2)
You can go ahead and create your own keys and certificates... What you're paying Verisign for is not 100% related to your keys.
First, you're paying to have a certificate that's been signed by an authority that just happens to be preinstalled in 99% of the browsers out there.
You're also paying for the "trust" factor that goes into getting a certificate. Yeah, the lowerst level ones aren't much more than filling out paperwork, but (AFAIK) in order to get one of the more expensive ones, you must go through more steps to establish "who" you are.
If all you want is to establish secure connections, you don't need either of their services. If you want to be able to do so without having a little warning pop up on a users screen, you need to enlist their services.
That all said, if the merger/acquisition goes through, close attention should be paid to their pricing... If they immediately yank the low-cost certificates, or even if it's an eventual thing, a big stink will need to be made IMMEDIATLEY...
Until then, though... More power to them.
Re:Buying your competition? (Score:2)
Re:I should point out... (Score:2)
What about Equifax? (Score:1)
Re:More closed source monopoly (Score:2)
but now that Verisign ownes all but 4 or 5 of them, I wonder... this is sleazy!
Really, though.. run your OWN ca, and direct people to a page that explains how the whole process works (more than Verisign does!) to the common man, and have them simply accept the key into their browser.
Better yet, offer them client keys as well!
Re:You can submit your comments to the DOJ (Score:1)
That's the page where it says to send complaints to.
Only 200 pounds? (Score:3)
These companies really have to learn that it's not that impressive if they weigh only slightly more than the average American male. Even if America is a chronically obese nation.
Maybe Microsoft would like to help them out by hooking them up with some of that combination bovine-growth hormone [purefood.org] and human-g rowth hormone [google.com] regimen that's keeping Gates's hair so glossy and thighs so sexy. They'll help make Verisign a man [wvu.edu]. How do I know this? Try searching Google for "make you a man" [google.com]. Microsoft comes up as #2. Does Judge Jackson know about this?....
Verisign certs are worthless in about 10 days (Score:1)
The one thing that really bugs me (Score:2)
I understand PKI. I understand x.509 certificates.
What I don't understand is why, in the first place, X.509 certificates were required to use SSL. It should not be necessary. Why are modern browsers set up so that you cannot use SSL unless you have appropriate x.509 certificates? I mean, I have no problem with the browser telling me it's unsigned, or untrusted, but I should still be able to use session encryption.
Feh.
Maybe we should ask Judge Jackson (Score:2)
With appologies to Brunchi ng Shuttlecocks [brunching.com].
Re:And this would mean...what? (Score:1)
Entrust is a Provider of Enterprise PKI Systems (Score:2)
In certain circles in industry (like financial services), Verisign was primarily looked at as a service bureau who was willing to deal with small businesses. I realize that from the perspective of the consumer and small ISP they look like the only game in town. But, this was never the case at the high end.
I think this is a good acquisition for Verisign. It solidifies their position in the small and mid-sized business marketplace. This also creates an opportunity for a competitor, although it may not be a small company that tries to enter this market.
--
Dave Aiello
Re:How does international anti-trust work? (Score:2)
(gee, is that somewhat similar to the current DNS structure that gave Verisign so much power? ie: it only works because our products all use it by default.)
Other CAs for email besides Verisign (Score:2)
Cheers,
ZicoKnows@hotmail.com
And this means? (Score:1)
Bah! (Score:1)
Good move, Thawte, bad move, Verisign. (Score:4)
Bad move, Verisign. First of all, the net stock bubble is called a bubble for a reason. However, when acquiring other companies, you should buy for value or make acquisitions strategically. Does Thawte own anything, other than marketshare, that Verisign doesn't already have? In most mergers and buyouts, the purchaser usually ends up losing equity when the euphoria wears off. I doubt that this will be an exception to the rule.
I can deplore Microsoft's mania in acquisitions, but more often than not they acquire intelligently - taking out possible competitors, buying into new technologies. They don't acquire just for the hell of it. Paradoxically, they have too much money to do that.
Bad move, for the global net. Thawte is a South African company, and so the purchase takes an international venture with global reach and sucks it into the gaping maw of Silicon Valley. Not that there's anything intrinsically wrong with the valley. It's just that something sticks in my craw with one location dominating an entire industry.
Bad move, for everyone. A 200-lb gorilla in any industry is bad for business. A 200-lb gorilla in the security industry is worse. The security industry is based on trust (or at least mistrust)
--
Cornering the Market?! (Score:1)
Re:Noooooooooooo! (Score:1)
How do browser certificates work? (Score:1)
Re:Good move, Thawte, bad move, Verisign. (Score:2)
Like the possibility of the entire industry's headquarters being eliminated in one really big earthquake like the one California may have in its future?
next chance for additional certificates: Mozilla! (Score:1)
But the question is: How to introduce new (root) certificate instances? Well, only a new browser version will make it possible for the "dummy" user without hassle.
So next stop is Mozilla/Netscape 5.0.
I suggest on this "stop" to add/introduce an open certificate instance(but don't read that as "insecure") like the german cert/dfn. This root instance should be driven by scientific or nonprofit institutes with can't be beaten or bought.
Yes, that's probably going to be a problem. (Score:1)
Wade.
You can submit your comments to the DOJ (Score:4)
You can submit your comments on this matter to:
newcase.atr@usdoj.gov
I have sent my comments and sent this email to my friends, do the same!
You can't always talk to the local office. (Score:1)
I've dealt with Thawte for a long time. Most of the time you get great service from the local office (in my case the Toronto branch) but I've had to deal with their head office on three occasions in the last three years.
Call the Justice Department (Score:1)
EVERYONE call this number and complain about the ridiculous monopoly that has ensued!
The Justice Department, Anti-Trust Division
(415)436-6660
(San Francisco, California)
Not so fast! (Score:1)
Re:Bad news (Score:1)
That assertion is based on some recent personal experiance.
Re:You can submit your comments to the DOJ (Score:1)
Private Bag X274
Pretoria
0001
South Africa
He also has an email addess listed on the web site, but spamming him might be counter-productive. Does anybody from South Africa have a better person/place to email/write to? They should really be alerted to how bad this merger is for all of us.
Export controls "don't" restrict authentication (Score:1)
In reality, it's a bit more restrictive than that - the RSA algorithm uses the same routines for encryption and signature verification, and for decryption and signature, so export of source code for RSA-based certification systems, which should be legal, might not be (or at least might have trouble getting permits if you apply for them; John Gilmore's permit for DNSSEC was granted and then yanked). But export of binaries still should be fine, assuming they're only designed to do signatures and verifications well, and that's enough to run a business on.
Digital Signature Algorithm/Standard (DSA/DSS) signatures only provide signing/verification, not encryption, so a system using them should be exportable without a permit, even in source code. (In reality, the "subliminal channel" misfeature means you can use it for slow symmetric-key encryption by hiding bits in your choice of random numbers, but that's ugly and the Feds like to pretend it's not built-in - at least if you don't add subliminal-channel support to your crypto source code.)
Re:Offtopic, sue me, no wait mod me down (Score:2)
But even the Northridge earthquake, with an epicentre right in the middle of a heavily populated area, only killed 16-odd people. It was a smaller earthquake, but the really big ones are only expected to occur in the boonies. The effects of the 7.x in a distant area of Southern California were way less than the effects of a 6.x in a major population centre.
D
----
Re:First Post (Score:1)
Rob, I think we have a Slashdot bug here. An AC posted a first post message, and it got a score of 1!
I'm disappointed of Thawte (Score:1)
Re:too bad: they offered much cheaper certificates (Score:1)
Re:Goodie Goodie Gumdrops (Score:1)
Goodie Goodie Gumdrops (Score:1)
Twat bought by Vagisign (Score:1)
Re:Last Post! (Score:1)
In the event that anything goes wrong, or you use your certificate for some nefarious purpose, you indemnify us of any wrongdoing. We disclaim everything.
spawn_of_yog_sothoth
... (Score:1)
wonderful (Score:1)
*SIGH*
Links (Score:2)
This is terrible! (Score:3)
Thawte provided signing support for SSLeay keys very early on. Verisign is slow to change.
On the other hand if things get complicated (if your verification documents for a certificate are not "normal") then dealing with Thawte can be a pain. Thawte has its head office in Africa. Have you ever tried to send a long fax to Africa? If you get a clean line you might get one or two pages through at a time.
I should point out... (Score:1)
--
Kyle R. Rose, MIT LCS
Good grief, who's left? (Score:3)
Yikes.
Verisign Monopoly and price gouging (Score:2)
http://www.verisign.com/server/prd/g/index.html
I also don't like the fact there is now no competition to Verisign and that they have huge requirements and slow to respond to problems and can't track documents within their own company that you send them. If you can't do everything the Verisign way then God help you since they will drag everything out forever and loose documentation you send them.
I also see they are buying Signio E-Commerce payment service for busines to business e-commerce transactions. Where will they stop, they are starting to sound like they want to be like Microsoft only they want to control all secure and E-Commerce stuff on the internet.
Verisign also charges more or at least use to charge more for basic secure certificates. Looks like the days og just buying a certificate for your server are over. Now you have to buy a whole package of services and you probably won't be able to get wildcat certificates any more either. Which is a real problem since I shouldn't have to pay $950*x just for a few servers in my own domain for easier adminstration purposes to do internal stuff via a secure web page.
This just plain sucks!
First Post (Score:1)
time for an open-source competitor (Score:5)
There's already open-source software out there for generating certificates. The other barriers to entry are:
1. Name recognition. If you're in charge of security at a medium to big size company, your chief goal is to protect your own ass. To that end, you'll spend the extra money to buy Verisign, because nobody ever got fired for using Verisign.
2. Being in the browser. This is a big one; your CA cert has to be pre-loaded into your user's browsers. This involves paying many thousands of dollars to MS and Netscape.
The other things you need to be a CA are:
1. Legal staff and Certification Practice Statement.
2. Clerks for researching and verifying identity.
3. A killer operations and security infrastructure to protect the CA's key and prevent unauthorized signing.
CAs can and should be a commodity. The thing to watch out for is Verisign introducing proprietary technology into their certificates, or making exclusive deals with the browser manufacturers.
Entrust offers 128 global too... kinda (Score:1)
There's only one catch.
Their certs are signed off on by (drumroll) Thawte! Which is now a subsidiary of Entrust's rival, Verisign. Hm.
Re:You can submit your comments to the DOJ (Score:1)
Can you post information more information about this address, such as where it came from and how best to identify the issue we are protesting?
Anyone thought of Enrust.net? (Score:2)
They did not want to pay the gazillions that it cost to have their CA cert embedded in the browsers, so they got THAWTE to cross cert with them.
This now means that the Entrust.net intermediate cert is OWNED and could be YANKED by Versign. And Verisign could be the only major player.
If this does not happen, then at least we will still have more than ONE choice for server certs.
Just my $0.04 Euro.
Yeah but competition is coming, big time (Score:1)
I believe having their root certificate in the browser is _the_ number one factor and this is due to change very soon - Windows 2000 and NT4 SP6 both introduce a large number of new trusted players into IE, for example Baltimore, Belgacom, Cable and Wireless, Deutsche telekom, Swisskey, etc.
So maybe Thawte are grabbing the cash and getting out at what they think might be the top of the market... I've always considered Thawte to be a pretty smart company.
And there really is a need for a Slashdot CA, people do not want to pay $200 to get a code-signing certificate just for some
Re:Anyone thought of Enrust.net? (Score:1)
This is true. I think the point that you are missing is that you have to dowload the intermediate cert to your server to enable the chain of trust to be completed.
Verisign could remove this intermediate cert (as it is now theirs.) and thus one could not complete the installation of an Entrust.net issued cert into their servers.
I agree entirely that older browswers will still trust the Thawte root. Verisign cannot take this away. But at the rate that things are changed in the browser market, newer versions are being released almost every couple of months. It will only take two months for people to stop trusting the Thawte root.
Re:Noooooooooooo! (Score:1)
my clients because of Verisign's spam.
The following companies also have root-signing
certificates in Navigator 4.7:
ABAecom (Am. Bankers Assn)
ANX Network
AT&T
Access America (DST)
American Express
BBN
BelSign
Canada Post Corp.
DST (provider to quite a few others)
E-Certify
Entrust (DST)
Equifax
GTE CyberTrust
GlobalSign
IBM
KEYWITNESS
MCI Mall
National Retail Federation (DST)
Novell (DST)
TC TrustCenter
UPS
United States Postal Service
Uptime Group
Anyone know whether any of these sell certs?
Re:More closed source monopoly (Score:2)
Nice thought, but there are two central problems:
AlterNIC tried this with DNS, and all it required was the cooperation of folks who ran DNS servers all over the world (a relatively small group, actually.) Didn't work.
I definitely won't take the odds on anyone being able to convince the Internet-using public (most of which is stupid, frankly) to install new certs in their browsers. Also, forget about getting them preinstalled in the browsers -- M$ is buddy-buddy with Verisign, and without IE support, no one will use our CA.
If sites are all directing folks to download new certs (I know this will happen anyway with the root rollovers, but bear with me), we will be training folks to accept any cert that they stumble across. Since anyone can create a cert, this could open up unsuspecting users to thinking a connection is ``secure'' when there is no guarantee (even the slight guarantee given by the current CAs) that the other end is who they say they are.
I would say, at best, that if this goes through, SSL should be considered proprietary and dead, and should be shunned by those of us who think computing should be open. It's quite a shame.
30%? Mozilla'd give his left nut for 30%. (Score:1)
Internet Explorer now has over 80% of the browser market, and its lead is increasing each week.
About Thawte, it's pretty coincidental for me to be seeing this article now, since I just signed up for a Thawte certificate late last night. There was one part of the sign-up process that was very unclear -- choosing a CSP. Thawte's web site did nothing for helping a new user decide the pros and cons of the different choices. I just went ahead and picked the Microsoft Base Cryptography because it was the default and because I know I can change it later, but could anyone recommend some links to comparisons between the different choices?
Thankful cheers,
ZicoKnows@hotmail.com
Re:The one thing that really bugs me (Score:2)
(I know you probably already know this, but others may not.)
Certificates are required because you need to know that the other end of the connection is who they say they are. Without that assurance, you open yourself up to a man-in-the-middle attack:
Alice is using SSL to talk to secure.bob.com. Eve wants to see what Alice and secure.bob.com are talking about.
Eve positions herself between Alice and secure.bob.com. She creates two public/private key pairs. She sends one of those public keys to Alice, posing as secure.bob.com. and the other to secure.bob.com, posing as Alice.
As Alice sends data to secure.bob.com, Eve decrypts it with her key and re-encrypts it with secure.bob.com's real public key. The same happens in the other direction.
This can't happen with certificates because secure.bob.com's public key is authenticated with the certificate. (Admittedly, Alice doesn't have a cert in most SSL transactions, but most people settle for the end that they feel needs to be most trustworthy -- the server -- to have the cert.)
Now keep in mind that most browsers are designed to keep the large portion of the Internet-using public (who are stupid) from hurting themselves. Hence the need for certificates, because there is no way you are going to get Grandma to understand man-in-the-middle attacks -- and if you tell her about them, she most certainly will not trust SSL in general.
That said, the SSL patches to lynx don't require certs. :-)
Offtopic, sue me, no wait mod me down (Score:1)
not too long after the earthquakes in turkey, and taiwan, there was one in southern california larger than the one in turkey, but less than the one in taiwan (forgive me for being vague i don't remember the numbers) and if i recall correctly there were fewer than 10 reported injuries...
then again it was in the boonies area of southern california, but thats where they seem to happen most lately anyhow
Ouch... Thawte sold their soul to the devil (Score:1)
Anywho, all I know is that verisign is twice as expensive and takes twice as long as thawte to get ANYTHING done. This is a prime example of the word "monopoly"... nowhere else does the consumer get screwed and not know any better.
Re:Alternative certificate (Score:1)
since when do prices go down due to increased demand?
prices go up do to increased demand
and demand increases due to dropped prices
Re:The one thing that really bugs me (Score:1)
That's almost what Thawte was, and what PGP is! (Score:1)
PGP doesn't do a hierarchical certification; it does a web of trust instead, where everybody can certify anybody else's key. The browsers don't use it, but the obvious way to adapt it would be to let you include your own PGP key as a certifier and trust anybody who's key you've signed.
Go for the FTC also! (Score:1)
antitrust@ftc.gov [mailto]
This one is important - make your opinion known!
Re:Other CAs for email besides Verisign (Score:1)
I visited the GlobalSign site and my browser reported that their root was untrusted and would I like to trust it? How should I know??!? I said "no thanks" so the transaction failed.
This is how it works in the real world with unskilled users, it's a major deployment problem (just ask anyone who has ever tried to implement self-signed certs in an intranet.) This is why only the companies with their roots in the browsers are going anywhere, at present this means Thawte and Verisign - period. I know I said Win2K or SP6 would change that but not for the foreseeable future...
Oh yeah and I visited the BT TrustWise site and my browser reported that their root was
Who's up for a new CA? (Score:1)
I wonder how much it would take to start a low-cost, open certificate authority.
No $300 cert charges, no renewal bullshit, just fax us acceptable information and we sign your CSR.
I know one thing for sure - I don't relish the idea of dealing with Verisign (one word - ripoff). I've found Thawte to be a decent business (with the exception of them billing credit cards from South Africa - that doens't go over too well).
I wonder if there's enough support among the open-source community to get something like this going?
John
Re:hello monopoly (OpenCA) (Score:1)
Darn! (Score:1)
For those who haven't used it, Thawte is an alternative service to Verisign, whose rates are on average about one half of Verisign's. I think all of these Certificate services are overpriced scams, but at least Thawte was less so.
More closed source monopoly (Score:2)
Frpom the Verisign press release [verisign.com]:
It sounds like they want to own the standards and establish a monopoly of closed source rules.
And it will be a monopoly:
Any chance that the mergers and monopolies comission (or whatever it is called in SA) will block this? Please!? Not another MSFT.
This is _not_ good. (Score:1)
hello monopoly (Score:1)
This is bad for us.. (Score:4)
a better job than Verisign. They are cheaper
too, I believe..(though it's been a while)..
They do NOTHING for you! They don't even
make your site more secure...
They are snake-oil salesmen, at best.
Watch as Bruce Schneier gives these jerks a firm talking-to: here [counterpane.com]
Re:And this would mean...what? (Score:2)
--codemonky
--http://www.stetson.edu/~paland
Re:Good move, Thawte, bad move, Verisign. (Score:1)
By the way, I don't have any personal axe to grind against Verisign. I like to see a competitive marketplace with some choices. When the only choice is whether to feed the big gorilla, or stroll over to the park and watch the ducks because there aren't any other primates left
couple of problems... (Score:1)
Re:time for an open-source competitor (Score:1)
Bad news (Score:5)
Consider the following:
This is bad news for consumers.
I have a Thawte cert and this disturbs me greatly (Score:3)
I got a Thawte certificate because their website promised that if laws ever changed in the country their database was in such that they had to divulge its contents, they were prepared to move their database within hours. I also got it because of their support for PGP public key signing.
Now, they're being bought out by Verisign who I have no such trust in, and who isn't, IMHO, a good member of the community. I'm not at all happy about this.
I think I'm going to ask the my Thawte certificate be revoked, and all my data wiped from their databases. I do NOT trust Verisign at all. They seem more like opportunists out to make a buck than people who really understand the paranoid world of security.
Alternative certificate (Score:1)
Re: (Score:1)
Re:Verisign Monopoly and price gouging (Score:2)
If what you want to do is admin your server over a secure webpage, you don't need their services at all. Just generate your own certificate and *presto*
---------
If the price on their certificates goes up, that'll be bad... but really you only need to purchase a certificate if you're setting up an ecommerce site. If that's what your doing, then $500-$1000 is a drop in the bucket. If that's not what you're doing, you can probably just sign your own.
Re:Good move, Thawte, bad move, Verisign. (Score:1)
Re:This is terrible! (Score:2)
Please read Thawte's President essay [thawte.com].
Especially comments on VeriSign:
orIt might relate only to IPO, but...
Re:too bad: they offered much cheaper certificates (Score:1)
Did it exist: yes, THAWTE! Does it still exist: with Verisign acting as the key God? I wouldn't be suprosed if I'd get a bill next week.
Worth the money or not? (Score:1)
Of course as Bruce Schneier points out [counterpane.com], PKI ain't such a secure and necessary deal as it's made out to be, so to a certain extent Verisign is just smoke and mirrors.
How does international anti-trust work? (Score:2)
Thawte has a human face (Score:1)
what gubmint agency do I write to protest this merger?
oh... "thawte" (Score:1)
Imagine my surprise when I read that Verisign bought Thought. I could understand if they had patented it, but bought Thought?
I'm still wrong though.
Re:This is _not_ good. (Score:1)
Forgive my ignorance, but why must trusted certificates be handled exclusively by a bunch of companies??!?!? I think the way IE and NS comes with "trusted" certs is a little off... Doesn't it only represent certificates that NS and MS "trusts"? If the web of trust is entrusted (pun intended) upon a few companies, they're basically telling you who to trust -- or more bluntly, who they want you to trust.
Isn't the whole idea of the web of trust mechanism to allow anyone to verify certificates they receive from somebody? Now if this verification goes through a bunch of companies (which eventually merge into a monopoly), isn't there the possibility that there could be some foul play?
Competition is healthy. As long as certificate providers have competition, they cannot afford to play foul. But as soon as competition is gone, all bets are off. Mergers of companies like these that are the sole provider of certificates to IE and NS are not good.