Well the CA *is* preloaded and Verisign just sign a bank subordinate CA
using the global ID root. The subordinate CA can then issue global
server IDs of its own but (presumably) no further global ID CAs because
of a path length restriction.
Stephen, are you saying there's something different between
Verisign class 3 public primary root, and, say, the Thawte primary?
That's odd, because I believe the Verisign root found in Netscape 4.04
(i.e. the one that expires Dec 31 1999) had been around for several
years, and Global ID's haven't existed for that long. So that
seems to indicate that the cert with the special SGC-enabling bits
is the intermediate "Verisign International CA" cert that you get
along with your GSID.
That would, however, be a gaping security hole in the GSID system
which was intended to let the US government control use of 128 bit
encryption in these browsers, by regulating who was allowed to get
GSID's. It would mean that any cert authority recognized by the
browser could issue its own GSID's.
I'd very much like to find out if this is the case. Thawte told me
that they've applied for some kind of approval to issue GSID's and
they should have roots for it in the next generation of browsers
(I guess that means NS 5 and IE 6), but that doesn't help me trying
to support IE4 through Verisign's root rollover. :(
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
