Hi there,
At 02:59 PM 4/21/00 -0400, Thomas Reinke wrote:
>The intent is to allow export located financial institutions to
>use strong cryptography, while keeping it out of the hands
>of others. (Hmmm...I'll refrain here)
>
>AFAIK, only Microsoft IIS and Netscape Enterprise server support
>SGC at this point, and only IE 4/Netscape 4.0 browsers support
>this. There are known problems with the technology
Indeed there are. Without wishing to make this a commercial plug, I feel
bound to correct your statement - C2Net's Stronghold (yes yes, I work for
them, I confess it) also supports GSID certs. I'll refrain from posting
URLs as that may look a little *too* plugish. I'd also want anyone else out
there supporting GSID certs to make their presence felt - there's more to
life than Microsoft and Netscape. :-)
>To the best of my knowledge, no OpenSSL based servers have
>implemented this technology.
Same correction again, and there may be others out there besides C2 who are
doing this too. BTW: It would appear that MSIE has another "quirk" - if it
spots the Microsoft SGC extension in the (GSID) server certificate, it will
attempt to do a "fast" upgrade from 40/56/whatever-bit crypto up to a real
cipher suite. Unfortunately this is bad form with regard to the SSL
protocol and a work-around has only been added to OpenSSL recently thanks
to some clever protocol juggling by Stephen Henson. Using recent versions
of OpenSSL with certificates containing this extension will tolerate the
broken MSIE behaviour.
If the server cert does not have this extension (ie. it only has the
Netscape one) then MSIE will play-ball and upgrade properly which will be
fine. This will affect any servers using SSLeay or OpenSSL prior to
whichever version Steve added support in for, so OpenSSL 0.9.5 onwards I
think. Steve, can you clarify?
Cheers,
Geoff
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
