I'm creating a x509 certificate profile and want to know if there are some application that need any netscape extension to work.
We have no plan to add netscape extensions, but want to know if there are some interoperabitily problems or there are some software that depend on its.
TIA :: Nelson ::
Nelson,
Most of the Netscape extensions have been superseded by newer standard extensions, and the Netscape/mozilla software is happy to use the standard extensions instead of the old Netscape ones.
The standard "Extended Key Usage Extension" is a list of OIDs that define various special purposes for certificates. There are two OIDs that were defined by Netscape that were (are?) honored by various software (including non-Netscape browsers), but have fallen into disuse. They are:
a) the "SSL Step Up" OID, that allowed "export" browsers to use the stronger "domestic" strength encryption. This OID was honored by Netscape and Microsoft browsers. But AFAIK, "export browsers" are a thing of the past, and this SSL Step Up feature is no longer useful (and not worth paying extra money for, although some CAs still charge a premium for it.)
Microsoft has their own "SGC" OID that serves a similar purpose, but is not recognized by Netscape/mozilla browsers.
b) the "Object signing" OID. This is imilar to the newer standard "Code signing" OID, but it has more stringent requirements. Certain downloaded code "objects" (such as java jar files) would execute in Netscape Communicator 4.x with special privileges if they were signed with a valid certificate with that had the extended key usage OID in it. Unlike the new standard "Code Signing" OID, the Object Signing OID had to be present in the EE cert and also in all the intermediate CA certs in the chain in order to be valid for Object signing.
However, AFAIK, the "object signing" feature was not carried over into later generation browsers (after Communicator 4.x). So, it's probably not too important any more.
Hope this helps.
/Nelson
_______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
