RE: SCG, DSA

Wed, 25 Apr 2001 13:27:39 -0700 

Greg,

As your link states, you need to have a CA cert signed by a root SGC CA and as I 
recall, both MS and NS have to control access to such entities quite closely (ie. you 
need to be a big company or at least you have to be big enough to not be able to run 
away from the gov). The history of SGC involves MS and NS negotations with the US gov 
(read, NSA) to allow 128 bit encryption support in browsers offshore when the 
situation warrented (ie. banking transactions). The gov relented and allowed NS and MS 
to ship 128 bit crypto with their browsers as long as it could only be use in 
"authorized" applications, hence the delevopment of the SGC extension in certificates. 
Because the SGC extension root certs were compilied into the browsers, one can not 
simply create your own CA with the extension, it won't work. You can either get a SGC 
CA cert from one of the two vendors (assuming you meet the critera and pay the dough) 
or I suppose you could ask the gov to let you have a root SGC CA.

SGC is more or less a moot point these days, unless your clients can't upgrade to the 
strong crypto browsers. OK, so it's probably not that moot :)

-lee

-----Original Message-----
From: Greg Stark [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, April 25, 2001 3:56 PM
To: [EMAIL PROTECTED]
Subject: Re: SCG, DSA


> 1.> I'm wondering if it's possible to make a digital cert that
supports/uses SCG (Server Gated Cryptography), and if so, > how?
>
> [Lee]  I think you have to be a big company, like MS or Netscape, and
negotate a special deal with the NSA.


I don't think so. Better yet, search for SGC (not SCG) in the archives, for
one example see
(http://www.mail-archive.com/openssl-users@openssl.org/msg13731.html), and
look at the doc/openssl.txt.

However, there is probably *no* reason for anyone to create an SGC cert
anymore.

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to