"McMullan,Stephen" wrote:
>
> Hi,
>
> I've sourced a lot of info ( MS Site, NS Site, this lists archives, mod_ssl
> )
> on how to create certs for webservers
> that will invoke MS SGC and Netscape step up but I just can't
> get it to work.
>
Well if you'd read the bit in doc/openssl.txt you might have got a clue.
The whole point of global server IDs at the time was that they allow the
use of strong cryptography in a tightly controlled way. If you could
create your own global server ID just by adding the appropriate
extensions to a certificate then anyone would do it and the whole thing
would be pointless.
So the browsers check that the certificate chain is a valid SGC or Step
up one. They first check the extensions (which you've set) and then (the
important bit) they check if the root CA is acceptable.
Whether a root CA is acceptable or not depends on some non user settable
parameters in the certificate database and/or some hard coded test.
Netscape has a bit it sets in the database that handles this but I think
Microsoft has a test hard coded into the CSP for Verisign Class 3 CA
(which was the only allowed SGC root at the time).
Someone has worked out the Netscape method and wrote a program to tweak
the bit so you can give the impression your own root CA is valid for SGC
use. I believe such a tool is distributed with mod_ssl. The change in
the export regulations also means that Netscape have actually documented
the database format including the "step up" bit.
The Microsoft technique is probably harder to break because its in the
CSP which is itself protected by a signature (though the signature check
can be disabled or modified).
So you could in theory create your own "global server" certificates but
you'd have to run a program to persuade Netscape and MSIE to accept it.
If a user is prepared to do that then they might as well upgrade to 128
bits and not have to do any of this "global server" stuff. "True 128"
bit places a smaller load on servers anyway.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
