Thomas Reinke wrote:
>
> My understanding is that
>
> a) The tech is called "SGC: Server Gated Crtypography" (MS
> terminology) or "stepup" (Netscape terminology)
>
It isn't just terminology. They achieve similar things in different
ways. SGC violates the SSL protocol whereas stepup keep within it.
> b) It is designed to enable strong encryption in a controlled
> fashion outside of the U.S.
>
> c) It requires both the client and the server to support the
> capability.
>
It just needs the server to support strong encryption and use a
certificate from an appropriate authority with the appropriate
extensions. Well stepup does anyway...
> d) It is keyed by the server - the server software, if it
> has a Step-up cert, will allow the browser to negotiate
> a 128 bit connection. If not, it allows only export grade
> connections.
>
It is actually checked by the client. An export client does a normal
handshake advertising weak ciphers. If the client sees an approved cert
it will do a second handshake and advertise that it supports more
(strong) ciphers.
>
> To the best of my knowledge, no OpenSSL based servers have
> implemented this technology.
>
Any correctly written OpenSSL server containing an approved certificate
supports the protocol. With some restrictions...
SGC is only supported in OpenSSL 0.9.5 and later because SGC violates
the SSL protocol and a work around was only added in that version. Step
up is supported in earlier versions because it keeps to the SSL spec.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
