Well, as long as we're picking nits.... (Especially since Greg doesn't
seem to make mistakes in his explanations.)
> I can create one using OpenSSL and get it
> signed by Verisign without paying a penny to MS or Netscape. I'll have to
> pay Verisign of course, perhaps more than usual (~US $500), but even tiny
> companies can probably afford it :)
The trick to SGC / step-up crypto is that Verisign set aside a special
CA, embedded in the browsers, that would only be used to sign authorized
certs. Before Verisign would actually issue the certificate, they would
have to perform some due diligence to ensure that you were a suitable
institution (bank, healthcare, multinational communicating with foreign
branch offices, etc).
So while you might be able to *afford* it, they probably wouldn't issue
it.
Since there are no export regulations on "browser crypto," it would be
an interesting question -- albeit an academic one, unless you have a
large installed base of those old browsers to support -- what it takes
to get an SGC/S-U cert these days.
/r$
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
