Re: [TLS] [pkix] Proposing CAA as PKIX Working Group Item

koichi sugimoto <> Tue, 07 June 2011 01:32 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A762311E8096; Mon, 6 Jun 2011 18:32:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.372
X-Spam-Status: No, score=-1.372 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, DEAR_SOMETHING=1.605, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id bTXsdE5lYO9x; Mon, 6 Jun 2011 18:32:01 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 5F59011E8090; Mon, 6 Jun 2011 18:32:01 -0700 (PDT)
Received: by pzk7 with SMTP id 7so449896pzk.1 for <multiple recipients>; Mon, 06 Jun 2011 18:32:00 -0700 (PDT)
Received: by with SMTP id h7mr24678pbf.25.1307410320794; Mon, 06 Jun 2011 18:32:00 -0700 (PDT)
Received: from ( []) by with ESMTPS id o2sm4076833pbj.65.2011. (version=SSLv3 cipher=OTHER); Mon, 06 Jun 2011 18:32:00 -0700 (PDT)
Received: by pzk5 with SMTP id 5so2448373pzk.31 for <multiple recipients>; Mon, 06 Jun 2011 18:32:00 -0700 (PDT)
MIME-Version: 1.0
Received: by with SMTP id o1mr2256205pbd.178.1307410320002; Mon, 06 Jun 2011 18:32:00 -0700 (PDT)
Received: by with HTTP; Mon, 6 Jun 2011 18:31:59 -0700 (PDT)
In-Reply-To: <>
References: <> <>
Date: Tue, 7 Jun 2011 10:31:59 +0900
Message-ID: <>
From: koichi sugimoto <>
To: Yoav Nir <>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
X-Mailman-Approved-At: Tue, 07 Jun 2011 09:05:03 -0700
Cc: "" <>, "" <>, "" <>
Subject: Re: [TLS] [pkix] Proposing CAA as PKIX Working Group Item
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 07 Jun 2011 01:32:02 -0000

Dear Sirs,

I've heard the fact was as follows:

Paul Tourret and Steve Waite were independent agents assigned the
responsibility of sales and marketing for the RapidSSL brand, acting under
a company called Certification Services Ltd (CSL). Verisign served
termination notice to CSL immediately after the announcement of the
GeoTrust acquisition. CSL then later changed its name to GlobalSign
Limited following successful acquisition of GlobalSign NV.
was, and always had been, an SSL brand owned in full by GeoTrust Inc.
GeoTrust elected to represent the brand as a business unit and as
mentioned above, Paul Tourret and Steve Waite were assigned as "agents" to
promote the brand.  All root Certificates and infrastructure was
maintained and operated alongside the GeoTrust branded roots and in
infrastructure operated by GeoTrust Inc.  In 2006 VeriSign acquired
GeoTrust and all its assets, including the RapidSSL brand and root
Certificates.  Paul and Steve ceased their relationship with GeoTrust (now
owned by VeriSign) in late 2006.  At the time of the rogue issuance of
RapidSSL root Certificates, ownership and infrastructure of maintenance
had been under VeriSign's control for over 2 years.  To be clear, VeriSign
did not switch away from MD5 on behalf of RapidSSL, RapidSSL is just a
product brand (not a company) owned in full by VeriSign.

Koichi Sugimoto.

2011/6/5 Yoav Nir <>om>:
> On Jun 3, 2011, at 5:55 AM, Peter Gutmann wrote:
>> Yoav Nir <> writes:
>>> In late 2008, when some researchers got RapidSSL to sign a certificate
>>> request that collided with their rogue sub-CA certificate, several things
>>> came to light:
>>> - They were a ridiculously small company, with the only full-time employee.
>>> An accountant
>> I wasn't aware of this one, do you have any pointers to info on this?  I guess
>> a Webtrust audit doesn't check whether you have more than a single employee :-).
>> Peter.
> I'm not sure where I've read it. Probably some blog entry about the incident. Not Bruce Schneier's because his entries are still online.
> Anyway, checking the data for now, Business Week has this:
> It lists two "key executives", VP Marketing and VP Sales and no CEO/President. Click their links, and both have other jobs at Globalsign and other companies.
> The key issue is the total lack of in-house expertise. Late in 2008, it wasn't RapidSSL that switched to MD5. Verisign did it for them:
> _______________________________________________
> pkix mailing list