Friday, August 19, 2005

$25, and a bit more green for an X.509 certificate

That sounds like quite a deal actually. Verisign still charges an exhorbitant amount of money for bits that do the same thing.

-Jason


From Peter Gutman to the Cryptography Mailing list
Subject: How much for a DoD X.509 certificate?

$25 and a bit of marijuana, apparently. See:

http://www.wjla.com/news/stories/0305/210558.html
http://www.wjla.com/news/stories/0105/200474.html

Although the story doesn't mention this, the "ID" in question was the
DoD Common Access Card, a smart card containing a DoD-issued
certificate. To get a CAC, you normally have to provide two forms of
verification... in this case I guess the two were photo ID of dead
presidents and empirical proof that you know how to buy weed.

The cards were issued by Yusuf Khalil Jackson, a man with a long
criminal history (including, ironically, identity fraud):

John Pike, Global Security.org: "The notion that we're going to let
somebody with this type of criminal record, with no background check
on him
and give him the ID card machine defies understanding."

Jackson admitted to making about 30 of the ID cards:

John Pike: "The good news is that it looks like some of these people
were
just doing it so they could go to a bar and claim to be over 21. The
bad
news is that you don't know what else some of these other people might
have
done."

One of the cards was later "seized from a Pakistani national" by the
police.

Bowens: "That's the nightmare of it. The cards themselves are not
counterfeit. They're authentically made but they've been issued in an
unauthorized manner for profit or ideology or a little of both."

This sort of thing doesn't bode well for Real ID either. These cards
were real ID too.

Peter.


No comments:

Post a Comment