Marcus Leech wrote:
> So: two questions (with a possible answer of "use the source, luke"):
>
> o What bits are set in a "super cert" to indicate that it's a SGC
> or step-up cert? Or is it simply that certs issued by a super-cert
> authority (as marked in the browser CA cert database) are always
> "step up" certs?
The latter.
> o I'm thinking that there's a bit in the CA cert database that
> Netscape and
> IE maintain that says "OK to issue SGC certs". Anyone know where
> the bit
> is?
Yes, it is known, at least for Netscape, but I'm afraid I've forgotten
where it is documented. There's also a program to tweak Netscape's CA
cert DB to mark a CA of your choice for SGC.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html
"My grandfather once told me that there are two kinds of people: those
who work and those who take the credit. He told me to try to be in the
first group; there was less competition there."
- Indira Gandhi