[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [iaik-jce] International Step-Up Encryption Certificate
As Peter already said browsers will only perform a step-up, if the
certificate is issued by an appropriate CA (otherwise the export
restrictions would be defeated). Only Verisign and since recently Thawte
have US government permission to issue step-up certificates, and they may
only issue them to banks, e-commerce institutions, etc.
Anyway, if you are able to obtain such a certificate from one of those
CAs there should be no problem using the step-up feature with iSaSiLk.
Andreas Sterbenz mailto:Andreas.Sterbenz@iaik.tu-graz.ac.at
-----Ursprüngliche Nachricht-----
Von: Gil Peeters <gil@online.be>
An: <iaik-jce@iaik.tu-graz.ac.at>
Gesendet: Dienstag, 14. September 1999 16:06
Betreff: [iaik-jce] International Step-Up Encryption Certificate
> May be a little off topic, but here goes.
>
> I am working on a project where we are implementing our server (Notes)
> to use International Step-Up Encryption (Server Gated Cryptograpy)
> Certificates. We want to generate our own certificates for testing, and
> we have managed to do so using the JCE Toolkit. They are however
> standard CErtificates. not Step-up certificates.
>
> I want to generate a certificate, which allows a Step-Up from an Export
> RC4 - 40 bit secret to a true 128 bit RC-4. I read om the netscape
> devloper site:
> http://developer.netscape.com:80/tech/security/stepup/overview.html
> that you require a special type of certificate. I know a coouple of
> sites that use it, and so made a SSLClient app that printed off the
> certificate of such servers, and found that there were 4-5 V3
Extensions
> on the certificates.
>
> 3 of them are known types, but 2 are unknowm.
>
> So the question is, is there anywhere (link to doco) where I can find
> the meaning of these codes? or can anyone explain the meaning of these
2
> extensions. The extensions were the same for all 3 sites I checked:
>
> [Ext 0 - (class iaik.x509.UnknownExtension)]
> UnknownExtension: OBJECT ID = 2.16.840.1.113733.1.6.7
> IA5String = "34c028ac3c6b51e18a3452077fc24f2c" <<< NB: Different for
> each CERT, and One did not have this.
>
> [Ext 1 (class iaik.x509.extensions.netscape.NetscapeCertType)]
> NetscapeCertType: SSL Server
>
> [Ext 2 - (class iaik.x509.UnknownExtension)]
> UnknownExtension: OBJECT ID = 2.5.29.3
> SEQUENCE[C] = 1 elements
> SEQUENCE[C] = 1 elements
> SEQUENCE[C] = 2 elements
> OBJECT ID = 2.16.840.1.113733.1.7.1.1
> SEQUENCE[C] = 4 elements
> IA5String = "This certificate incorporates by reference, and
its
> use is strictly subject to, the VeriSign Certification Practice
> Statement (CPS), available at: https://www.verisign.com/CPS; by E-mail
> at CPS-requests@verisign.com; or by mail at VeriSign, Inc., 2593 Coast
> Ave., Mountain View, CA 94043 USA Tel. +1 (415) 961-8830 Copyright (c)
> 1996 VeriSign, Inc. All Rights Reserved. CERTAIN WARRANTIES DISCLAIMED
> and LIABILITY LIMITED."
> CONTEXTSPECIFIC[C] = [0] EXPLICIT
> OBJECT ID = 2.16.840.1.113733.1.7.1.1.1
> CONTEXTSPECIFIC[C] = [1] EXPLICIT
> OBJECT ID = 2.16.840.1.113733.1.7.1.1.2
> SEQUENCE[C] = 1 elements
> SEQUENCE[C] = 1 elements
> IA5String = "https://www.verisign.com/repository/CPS "
>
> [Ext 3 - (class iaik.x509.extensions.BasicConstraints)]
> CA: no
> [Ext 4 - (class iaik.x509.extensions.ExtendedKeyUsage)]
> KeyPurposeId 0: 2.16.840.1.113730.4.1
>
>
> So the question is:
>
> What are Object ID's:
>
> 2.16.840.1.113733.1.6.7
> 2.5.29.3
>
> and for iaik.x509.extensions.ExtendedKeyUsage
> what is KeypurposeId: 2.16.840.1.113730.4.1?
>
> A refernce to a site ould be good.
>
> Thanks.
smime.p7s