Re: super-certs

Fri, 21 Apr 2000 12:09:44 -0700 

My understanding is that

  a) The tech is called "SGC: Server Gated Crtypography" (MS
     terminology) or "stepup" (Netscape terminology)

  b) It is designed to enable strong encryption in a controlled
     fashion outside of the U.S.

  c) It requires both the client and the server to support the
     capability.

  d) It is keyed by the server - the server software, if it
     has a Step-up cert, will allow the browser to negotiate
     a 128 bit connection. If not, it allows only export grade
     connections.

The intent is to allow export located financial institutions to
use strong cryptography, while keeping it out of the hands
of others. (Hmmm...I'll refrain here)

AFAIK, only Microsoft IIS and Netscape Enterprise server support
SGC at this point, and only IE 4/Netscape 4.0 browsers support
this. There are known problems with the technology

  1) IE4 will not always report the page as being secure, even
     if it is.
  2) IE5 on NT4.0 doesn't always stepup to 128 bit properly
  3) IE4 occasionally reports pages as being mixed content
     (both secure and insecure) when they aren't

http://support.microsoft.com/support/kb/articles/Q240/8/06.ASP
http://support.microsoft.com/support/kb/articles/Q180/0/18.ASP
http://support.microsoft.com/support/kb/articles/Q148/4/27.ASP

To the best of my knowledge, no OpenSSL based servers have
implemented this technology.

Thomas


Michael wrote:
> 
> Both Verisign and Thawte(verisign) are currently offering so-called
> Super Certificates that enable 128 bit encryptation with export (40
> bit) browsers.
> 
> Can someone explain how this works and if it works with apache-ssl
> with recent openssl.
> 
> Thanks
> Michael
> [EMAIL PROTECTED]
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [EMAIL PROTECTED]
> Automated List Manager                           [EMAIL PROTECTED]

-- 
------------------------------------------------------------
Thomas Reinke                            Tel: (905) 331-2260
Director of Technology                   Fax: (905) 331-2504
E-Soft Inc.                         http://www.e-softinc.com
Publishers of SecuritySpace     http://www.securityspace.com
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to