-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Marcus,
Yes, this is a feature referred to as "step up" or "server gated
crypto." The idea is that as an application developer, you provide an
application that typically only allows export grade ciphers. Upon
presentation of a particular "super cert" the export client
automagically "steps up" to domestic cipher suites. The idea here is
that foreign clients can talk securely to financial institutions, US
corporations, etc. that have one of these magic server certificates,
but when they're talking to "Uncle Saddam's super-secret spy shack,"
they're only talking 40 bit. This moves the problem of what gets
exported from the application developer to the CA issuing the super
cert. While I'm not sure, I'm guessing that VeriSign can't issue a
super cert to Uncle Saddam, but Thawte being in South Africa may have
more leeway in this regard.
The last I really followed this topic was back in '97 when Tim
Dierks (Consensus/Certicom) was describing it for the TLS standard at
IETF and RSA conference meetings. Since then it's been a check-box on
the "things we'de like to add to our product list."
I believe that the TLS SGC comes from work done independantly at
Netscape and Microsoft. If I'm not mistaken, Ian Goldberg came up
with some sort of hack to forge a super-cert.
- -Matt H.
- -----Original Message-----
From: Marcus Leech <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
Date: Wednesday, December 01, 1999 11:26 AM
Subject: Thawte "SuperCerts"
>The Thawte folks are busily promoting their "SuperCerts" which
>enable 128-bit
> symmetric modes in "International" versions of the various
> browsers.
>
>I guess I've been out of touch--is there an extension in web certs
>that enables
> better than 40-bit symmetric SSL modes? My assumption has always
> been
>that
> a 40-bit (or 56-bit) browser was "nailed" to that particular key
> size,
>or
> lower.
>
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.1 for non-commercial use <http://www.pgp.com>
iQA/AwUBOEWN+apYCXEJSE/yEQJ/GACePlxFnm+WmGGxl4pbN2TnRvqwLHwAnjY+
Rb6rggIgmFSZGnaiflWprhCh
=hQjS
-----END PGP SIGNATURE-----
