Lee,
Thanks, I am aware of the SGC history. The SGC certs are signed by
Verisign, not MS or Netscape. I can create one using OpenSSL and get it
signed by Verisign without paying a penny to MS or Netscape. I'll have to
pay Verisign of course, perhaps more than usual (~US $500), but even tiny
companies can probably afford it :)
_____________________________________
Greg Stark
Ethentica, Inc.
[EMAIL PROTECTED]
_____________________________________
----- Original Message -----
From: "Dilkie, Lee" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, April 25, 2001 4:44 PM
Subject: RE: SCG, DSA
> Greg,
>
> As your link states, you need to have a CA cert signed by a root SGC CA
and as I recall, both MS and NS have to control access to such entities
quite closely (ie. you need to be a big company or at least you have to be
big enough to not be able to run away from the gov). The history of SGC
involves MS and NS negotations with the US gov (read, NSA) to allow 128 bit
encryption support in browsers offshore when the situation warrented (ie.
banking transactions). The gov relented and allowed NS and MS to ship 128
bit crypto with their browsers as long as it could only be use in
"authorized" applications, hence the delevopment of the SGC extension in
certificates. Because the SGC extension root certs were compilied into the
browsers, one can not simply create your own CA with the extension, it won't
work. You can either get a SGC CA cert from one of the two vendors (assuming
you meet the critera and pay the dough) or I suppose you could ask the gov
to let you have a root SGC CA.
>
> SGC is more or less a moot point these days, unless your clients can't
upgrade to the strong crypto browsers. OK, so it's probably not that moot :)
>
> -lee
>
> -----Original Message-----
> From: Greg Stark [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, April 25, 2001 3:56 PM
> To: [EMAIL PROTECTED]
> Subject: Re: SCG, DSA
>
>
> > 1.> I'm wondering if it's possible to make a digital cert that
> supports/uses SCG (Server Gated Cryptography), and if so, > how?
> >
> > [Lee] I think you have to be a big company, like MS or Netscape, and
> negotate a special deal with the NSA.
>
>
> I don't think so. Better yet, search for SGC (not SCG) in the archives,
for
> one example see
> (http://www.mail-archive.com/openssl-users@openssl.org/msg13731.html), and
> look at the doc/openssl.txt.
>
> However, there is probably *no* reason for anyone to create an SGC cert
> anymore.
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
