Marcus,
The answers to your questions, and more, are at:
http://www.modssl.org/source/exp/mod_ssl/pkg.mod_ssl/README.GlobalID
Cheers --
Enzo
----- Original Message -----
From: Marcus Leech <[EMAIL PROTECTED]>
To: Radia Perlman - Boston Center for Networking
<[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Thursday, December 02, 1999 7:42
Subject: Re: Thawte "SuperCerts"
> Radia Perlman - Boston Center for Networking wrote:
> >
> > So since Thawte is advertising this, there must be a new version of
> > IE and Netscape that recognize Thawte as an issuer of step-up certs.
> > Which must mean that the US govt has approved Thawte (so that they
> > allow export of browsers that recognize it), which must mean that
> > Thawte has promised to only issue step-up certs to institutions
> > that the US govt would approve getting such certs.
> >
> > Radia
> I'd totally forgotten about SGC (Server Gated Crypto), which is why the
> Thawte
> stuff kind of surprised me. I guess I'd simply erected some kind of
> mental block about SGC or something...
>
> At their web site, they do talk about more recent versions of browsers
> supporting this concept.
>
> So: two questions (with a possible answer of "use the source, luke"):
>
> o What bits are set in a "super cert" to indicate that it's a SGC
> or step-up cert? Or is it simply that certs issued by a super-cert
> authority (as marked in the browser CA cert database) are always
> "step up" certs?
>
> o I'm thinking that there's a bit in the CA cert database that
> Netscape and
> IE maintain that says "OK to issue SGC certs". Anyone know where
> the bit
> is?
>
> I don't remember seeing anything like this in the PKIX or TLS specs, so
> I'm
> thinking that this "step up"/SGC notion is implemented out-of-band.
>