Radia Perlman - Boston Center for Networking wrote:
>
> So since Thawte is advertising this, there must be a new version of
> IE and Netscape that recognize Thawte as an issuer of step-up certs.
> Which must mean that the US govt has approved Thawte (so that they
> allow export of browsers that recognize it), which must mean that
> Thawte has promised to only issue step-up certs to institutions
> that the US govt would approve getting such certs.
>
> Radia
I'd totally forgotten about SGC (Server Gated Crypto), which is why the
Thawte
stuff kind of surprised me. I guess I'd simply erected some kind of
mental block about SGC or something...
At their web site, they do talk about more recent versions of browsers
supporting this concept.
So: two questions (with a possible answer of "use the source, luke"):
o What bits are set in a "super cert" to indicate that it's a SGC
or step-up cert? Or is it simply that certs issued by a super-cert
authority (as marked in the browser CA cert database) are always
"step up" certs?
o I'm thinking that there's a bit in the CA cert database that
Netscape and
IE maintain that says "OK to issue SGC certs". Anyone know where
the bit
is?
I don't remember seeing anything like this in the PKIX or TLS specs, so
I'm
thinking that this "step up"/SGC notion is implemented out-of-band.