Salz, Rich wrote:
>
> >I believe Verisign has certified some US banks to issue their own global
> >server IDs by siging a CA certificate with their global server root, and
> >with suitable path length protection.
>
> I don't think that helps. In order to do be a "step-up CA" you have to get
> the browsers to have that CA pre-loaded. Will, for Netscape you can do a
> binary
> patch on the certstore (as documented in mod_ssl), but there is no
> equivalent
> for IE. It's possible a bank could get a custom version of IE through their
> links to MS, but I doubt they'd be willing/able to roll that out to their
> customers.
Well the CA *is* preloaded and Verisign just sign a bank subordinate CA
using the global ID root. The subordinate CA can then issue global
server IDs of its own but (presumably) no further global ID CAs because
of a path length restriction.
Doesn't help though because the process is AFAIK very strictly
controlled.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
