Paul Rubin wrote:
>
> Well the CA *is* preloaded and Verisign just sign a bank subordinate CA
> using the global ID root. The subordinate CA can then issue global
> server IDs of its own but (presumably) no further global ID CAs because
> of a path length restriction.
>
> Stephen, are you saying there's something different between
> Verisign class 3 public primary root, and, say, the Thawte primary?
> That's odd, because I believe the Verisign root found in Netscape 4.04
> (i.e. the one that expires Dec 31 1999) had been around for several
> years, and Global ID's haven't existed for that long. So that
> seems to indicate that the cert with the special SGC-enabling bits
> is the intermediate "Verisign International CA" cert that you get
> along with your GSID.
>
No I'm not saying there's anything different :-)
I believe this is described in the mod_ssl documentation but I'll give
my version anyway.
For a certificate to be recognised as a valid Global ID (also called
Server Gated Cryptography or SGC) by a browser several conditions must
be met.
1. All the CAs and end user certificates (with the possible exception of
the root) must contain the extended key usage extension and include
either the microsoft SGC or the Netscape SGC OIDs.
2. The root CA must be installed and trusted in the browser.
3. The root CA must be marked as a valid root SGC CA in the browser
database.
Point 3. is the crucial one. There is no option in the browsers to trust
a CA as an SGC root because that would make the whole thing useless:
anyone could issue SGC certificates. I believe the only pre-installed
SGC root is Verisign class 3 (?).
So although Thawte have root CAs in the browsers they are not set as
valid SGC roots so Thawte can't issue SGC certificates. If and when
Thawte gets permission their entry will presumably be updated in the
database either by a new browser version or a patch of some sort.
BTW someone has worked out how to edit the Netscape browser DB to mark
any CA as a valid SGC root but not MS AFAIK. Details about how to do
this is described in the mod_ssl documentation.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
