[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [iaik-jce] International Step-Up Encryption Certificate



As Peter already said browsers will only perform a step-up, if the
certificate is issued by an appropriate CA (otherwise the export
restrictions would be defeated). Only Verisign and since recently Thawte
have US government permission to issue step-up certificates, and they may
only issue them to banks, e-commerce institutions, etc.

Anyway, if you are able to obtain such a certificate from one of those
CAs there should be no problem using the step-up feature with iSaSiLk.

 Andreas Sterbenz              mailto:Andreas.Sterbenz@iaik.tu-graz.ac.at

-----Ursprüngliche Nachricht-----
Von: Gil Peeters <gil@online.be>
An: <iaik-jce@iaik.tu-graz.ac.at>
Gesendet: Dienstag, 14. September 1999 16:06
Betreff: [iaik-jce] International Step-Up Encryption Certificate


> May be a little off topic, but here goes.
>
> I am working on a project where we are implementing our server (Notes)
> to use International Step-Up Encryption (Server Gated Cryptograpy)
> Certificates. We want to generate our own certificates for testing, and
> we have managed to do so using the JCE Toolkit. They are however
> standard CErtificates. not Step-up certificates.
>
> I want to generate a certificate, which allows a Step-Up from an Export
> RC4 - 40 bit secret to a true 128 bit RC-4. I read om the netscape
> devloper site:
> http://developer.netscape.com:80/tech/security/stepup/overview.html
> that you require a special type of certificate. I know a coouple of
> sites that use it, and so made a SSLClient app that printed off the
> certificate of such servers, and found that there were 4-5 V3
Extensions
> on the certificates.
>
> 3 of them are known types, but 2 are unknowm.
>
> So the question is, is there anywhere (link to doco) where I can find
> the meaning of these codes? or can anyone explain the meaning of these
2
> extensions. The extensions were the same for all 3 sites I checked:
>
> [Ext 0 - (class iaik.x509.UnknownExtension)]
> UnknownExtension:     OBJECT ID = 2.16.840.1.113733.1.6.7
> IA5String = "34c028ac3c6b51e18a3452077fc24f2c"  <<< NB: Different for
> each CERT, and One did not have this.
>
> [Ext 1 (class iaik.x509.extensions.netscape.NetscapeCertType)]
> NetscapeCertType: SSL Server
>
> [Ext 2 - (class iaik.x509.UnknownExtension)]
> UnknownExtension:     OBJECT ID = 2.5.29.3
> SEQUENCE[C] = 1 elements
>   SEQUENCE[C] = 1 elements
>     SEQUENCE[C] = 2 elements
>       OBJECT ID = 2.16.840.1.113733.1.7.1.1
>       SEQUENCE[C] = 4 elements
>         IA5String = "This certificate incorporates by reference, and
its
> use is strictly subject to, the VeriSign Certification Practice
> Statement (CPS), available at: https://www.verisign.com/CPS; by E-mail
> at CPS-requests@verisign.com; or by mail at VeriSign, Inc., 2593 Coast
> Ave., Mountain View, CA 94043 USA Tel. +1 (415) 961-8830 Copyright (c)
> 1996 VeriSign, Inc.  All Rights Reserved. CERTAIN WARRANTIES DISCLAIMED
> and LIABILITY LIMITED."
>         CONTEXTSPECIFIC[C] = [0] EXPLICIT
>           OBJECT ID = 2.16.840.1.113733.1.7.1.1.1
>         CONTEXTSPECIFIC[C] = [1] EXPLICIT
>           OBJECT ID = 2.16.840.1.113733.1.7.1.1.2
>         SEQUENCE[C] = 1 elements
>           SEQUENCE[C] = 1 elements
>             IA5String = "https://www.verisign.com/repository/CPS "
>
> [Ext 3 - (class iaik.x509.extensions.BasicConstraints)]
> CA: no
> [Ext 4 - (class iaik.x509.extensions.ExtendedKeyUsage)]
> KeyPurposeId 0:  2.16.840.1.113730.4.1
>
>
> So the question is:
>
> What are Object ID's:
>
> 2.16.840.1.113733.1.6.7
> 2.5.29.3
>
> and for iaik.x509.extensions.ExtendedKeyUsage
> what is KeypurposeId: 2.16.840.1.113730.4.1?
>
> A refernce to a site ould be good.
>
> Thanks.



smime.p7s