Marcus Leech wrote:
> So: two questions (with a possible answer of "use the source, luke"):
>
> o What bits are set in a "super cert" to indicate that it's a SGC
> or step-up cert? Or is it simply that certs issued by a super-cert
> authority (as marked in the browser CA cert databa
Cc: <[EMAIL PROTECTED]>
Sent: Thursday, December 02, 1999 7:42
Subject: Re: Thawte "SuperCerts"
> Radia Perlman - Boston Center for Networking wrote:
> >
> > So since Thawte is advertising this, there must be a new version of
> > IE and Netscape that recognize Tha
> unless, of course, there's a built-in list of trusted CAs.
That's exactly what it is. Patching the list is apparently pretty
easy for Netscape Navigator -- instructions are included in the
mod_ssl Apache patch -- but it's not currently known what needs to
be done to make IE add a trusted CA.
"Steven M. Bellovin" <[EMAIL PROTECTED]> writes:
> In message <[EMAIL PROTECTED]>, EKR writes:
>
> > I'm assuming it's compiled into the code, since if it were in the
> > cert database, it could be tampered with.
>
> Sure -- just like Fortify can't exist...
Fair enough.
I would have kind of exp
In message <[EMAIL PROTECTED]>, EKR writes:
> I'm assuming it's compiled into the code, since if it were in the
> cert database, it could be tampered with.
Sure -- just like Fortify can't exist...
--Steve Bellovin
"Marcus Leech" <[EMAIL PROTECTED]> writes:
> I'd totally forgotten about SGC (Server Gated Crypto), which is why the
> Thawte
> stuff kind of surprised me. I guess I'd simply erected some kind of
> mental block about SGC or something...
I can see why you would want to do that.
> At their web
Radia Perlman - Boston Center for Networking wrote:
>
> So since Thawte is advertising this, there must be a new version of
> IE and Netscape that recognize Thawte as an issuer of step-up certs.
> Which must mean that the US govt has approved Thawte (so that they
> allow export of browsers that r
I'd heard that unlike the trusted certifiers for regular certificates,
that the certifiers trusted for "step-up" certificates couldn't
be configured. This makes sense for the govt to
insist on this, since if you can add certifiers
to your browser that issue step-up certs, then it becomes really
ea
In message <00ee01bf3c40$08c1df00$[EMAIL PROTECTED]>, "Matthew Ham
rick" writes:
> This moves the problem of what gets
> exported from the application developer to the CA issuing the super
> cert. While I'm not sure, I'm guessing that VeriSign can't issue a
> super cert to Uncle Saddam, but Thawte
On Wed, Dec 01, 1999 at 02:36:46PM -0500, Steven M. Bellovin wrote:
> In message <[EMAIL PROTECTED]>, "Marcus Leech" writes:
> > The Thawte folks are busily promoting their "SuperCerts" which enable
> > 128-bit
> > symmetric modes in "International" versions of the various browsers.
> >
> > I g
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Marcus,
Yes, this is a feature referred to as "step up" or "server gated
crypto." The idea is that as an application developer, you provide an
application that typically only allows export grade ciphers. Upon
presentation of a particular "super ce
In message <[EMAIL PROTECTED]>, "Marcus Leech" writes:
> The Thawte folks are busily promoting their "SuperCerts" which enable
> 128-bit
> symmetric modes in "International" versions of the various browsers.
>
> I guess I've been out of touch--is there an extension in web certs that
> enables
>
12 matches
Mail list logo
