I'd heard that unlike the trusted certifiers for regular certificates,
that the certifiers trusted for "step-up" certificates couldn't
be configured. This makes sense for the govt to
insist on this, since if you can add certifiers
to your browser that issue step-up certs, then it becomes really
easy to set up a 128-bit key session.
But I'd also heard that VeriSign was the only approved issuer, meaning
that Netscape and IE would both have only VeriSign's key wired in as
authorized issuer of step-up certs and you can't add others.
So I don't know how Thawte can issue a certificate recognized
by those browsers. (anyone can issue such a certificate, but it's
irrelevant if nobody recognizes it of course).
So since Thawte is advertising this, there must be a new version of
IE and Netscape that recognize Thawte as an issuer of step-up certs.
Which must mean that the US govt has approved Thawte (so that they
allow export of browsers that recognize it), which must mean that
Thawte has promised to only issue step-up certs to institutions
that the US govt would approve getting such certs.
Radia
