>I believe Verisign has certified some US banks to issue their
>own global server IDs by siging a CA certificate with their
>global server root, and with suitable path length protection.
I don't think that helps. In order to do be a "step-up CA" you
have to get the browsers to have that CA pre-loaded.
Do you know more about how this works? Verisign GSID's are signed
with an intermediate "Verisign International" CA which must be chained
to Verisign's Class 3 Primary CA root which is built into the browsers.
So I wonder what the purpose of that arrangement is.
Will, for Netscape you can do a binary patch on the certstore
(as documented in mod_ssl), but there is no equivalent for IE.
Any idea how IE stores certificates?
It's possible a bank could get a custom version of IE through
their links to MS, but I doubt they'd be willing/able to roll
that out to their customers.
Actually that's not that unlikely. Making custom versions of IE is
straightforward with the M$ IEAK (IE Administration Kit). ISP's and
corporate users do it a lot. And banks who want you to sign up for
"Internet Home Banking" (etc.) often send cd-roms to their customers.
So including a special IE version on the CD is straightforward.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
