"William X. Walsh" <[EMAIL PROTECTED]> writes:
> On 01-Feb-2000 [EMAIL PROTECTED] wrote:
> >> I haven't any wish to trust & to pay to Verisign.
> >> How can I issue my own Global Server ID certificate for use in closed
> >> intranet group in order to force none-US browsers (40 bit) to
> >> connect using
> >> 128bit-strong security SSL connection?(refer to Netscape
> >> "Step-up"&Microsoft
> >> "SGC").
> >
> > You can't do that. It has to be signed by Verisign (or one of the other
> > companies that are allowed to issue GSID.
>
> Allowed by who??????
>
> That seems pretty weak to me. If they can issue a cert of this type, I see no
> reason why others can't as well. Maybe there is something I am missing, but
> who is it that decides who is "allowed to issue GSID" ?
The US Government.
The whole point of the exercise is to allow strong crypto for financial
transactions but nothing else. For this to work properly, the certificates
have to vouch for the server being used for financial purposes. But that
means that the CA has to be trusted by the government not to issue
these special certificates to just anyone. Which means that only certain
(trusted) CAs can issue them.
The technical enforcement of this, of course, is done by Netscape and MS,
but they're restricted in what they can do by the feds, who can refuse
export licenses if the software doesn't behave the way they like.
Of course, all this is probably moot in the face of the new export
liberalization.
-Ekr
--
[Eric Rescorla [EMAIL PROTECTED]]
PureTLS - free SSLv3/TLS software for Java
http://www.rtfm.com/puretls/
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
