Dirk-Willem van Gulik wrote: > Dirk-Willem van Gulik wrote: > >> Actually Steve - you may know - what besides the obvious >> >> extendedKeyUsage=nsSGC,msSGC >> >> in the extension file needs to go into a sub-ca below a >> self-signed-root-chain to make the browsers dance ? Or have they >> hardcoded in some specific CA or similar ? Or is there a test case in >> opnessl which is useful here ? As that would let us do decent tests >> script. > > Hmm - just found > > http://www.modssl.org/docs/apachecon2001/slide-010-n.html > > which seems to be one of the few places on the web; which suggest that > sepcial tagging in the browser is happening on a per-CA level. > > Is that indeed the case. That would suggest that we do need the help of > a CA to do proper testing. >
Actually now I think of this there is another issue. In SGC/Step Up an export grade browser would first connect using weak crypto (because that was the strongest algorithm it would support generally) and (if the certificate was authorised) step up to strong crypto. Now that browsers can connect with strong crypto from the start there isn't a great deal of point doing that any more. In fact there's a good reason not to: the double handshake with Step Up ends up perfomring two expensive server private key operations compared to one in a normal handshake. Do any countries still have browsers restricted to weak crypto and that might use Step Up or SGC? If so you also need an appropriate browser to test it... Steve. -- Dr Stephen N. Henson. Senior Technical/Cryptography Advisor, Open Source Software Institute: www.oss-institute.org OpenSSL Core team: www.openssl.org
