Thanks, I still couldn't find any real technical detail, but your explanation is mostly correct. One learns something every day.
Netscape and MS appear to support "step-up" or "server gated" cryptography. Presumably any browser could (or they could have just not export crippled themselves in the first place). MS tries to take credit for it, but the history is unclear in the quick search I performed. I found indications from several digital certificate vendors that they can provide certs with support for this "step-up" crypto, so Verisign is not unique in that respect. I also confirmed that Apache can indeed support it. Protocol-wise the old export-controlled browsers are deliberately broken to not negotiate higher than export strength ciphers. However, they also include code such that a change-cipher-spec SSL message _will_ be allowed provided that some internal browser criteria is met. Presumably that the signing CA is continental US based, although on a technical level I can't see how they could have done that - I suspect that the browsers have a list of allowable signing root CAs for step-up. The code required to support this shouldn't really be export controlled - all that is required is for the server to attempt to change the cipher strength once the initial 40-56 bit connection has been established. It's still not going to work on a server that doesn't have a cert which is acceptable to the browser at the other end. Given that it all seems dodgy as heck (lots of KB articles about it breaking in various circumstances), I'd say it's better for people to just update to a non-export browser - these certs aren't really all that relevant any more; the backwards compatability issue is false-logic (older browser versions contain lots of other security holes, so their use would be bad for apps that require high security). Cheers, -- Ben Nagy Network Security Specialist Mb: TBA PGP Key ID: 0x1A86E304 > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of Marc E. Mandel > Sent: Saturday, May 25, 2002 4:25 AM > To: [EMAIL PROTECTED] > Subject: RE: Off-Topic - Encryption and Credit Card > Processing (resent) > > > Ben: > > In response to your question (see below) about surrogate/gated > functionality built into the major browsers since Netscape > and IE version > 3, the answer is simple. To address the global needs of the > US financial > community, the US Government agreed to this functionality for > both domestic > and exportable versions of the browser. The Federal > Government agreed to > this provided the server that triggers the higher strength > processing is > operating in the US or Canada and a domestic commercial certificate > authority (CA) with the capability of issuing such certificates is > utilized. To my knowledge, only VeriSign can provide such > certificates. I > have been involved with the installation of global certificates on > Netscape, iPlanet, and IIS web servers since at least the > first quarter of > the Year 2000. Initially, WebLogic servers could not handle global > certificates even though BEA claimed its software did. Once > BEA completed > its legal agreement with VeriSign, the issue was supposedly > resolved. While I expect that this is true, I have never > validated it for > myself. I don't recall that an Apache web server could > handle the Global > certificates. To function properly, the supplier of the web > server must > obtain special (export controlled) code from the issuing CA. > > Note: I'm note exposing any secrets here. You should be able > to obtain > this information freely from the VeriSign, Netscape, and > Microsoft public > web sites. You just may have to dig for it awhile. > > Sincerely yours; > Marc Mandel > > At 10:10 PM 05/24/2002 +0200, Ben Nagy wrote: > >G'day, > > > >Um, could you run through that at a more technical level for me? > > > >How exactly does a different Verisign cert at the server end > make a 40 > >bit "Colombian Special" browser suddenly able to support 128 bit > >encryption? > > > >Intrigued, > > > >-- > >Ben Nagy > >Network Security Specialist > >Mb: TBA PGP Key ID: 0x1A86E304 [...] _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] For Account Management (unsubscribe, get/change password, etc) Please go to: http://lists.gnac.net/mailman/listinfo/firewalls
