As Peter already said browsers will only perform a step-up, if the certificate is issued by an appropriate CA (otherwise the export restrictions would be defeated). Only Verisign and since recently Thawte have US government permission to issue step-up certificates, and they may only issue them to banks, e-commerce institutions, etc. Anyway, if you are able to obtain such a certificate from one of those CAs there should be no problem using the step-up feature with iSaSiLk. Andreas Sterbenz mailto:Andreas.Sterbenz@iaik.tu-graz.ac.at -----Ursprüngliche Nachricht----- Von: Gil Peeters <firstname.lastname@example.org> An: <email@example.com> Gesendet: Dienstag, 14. September 1999 16:06 Betreff: [iaik-jce] International Step-Up Encryption Certificate > May be a little off topic, but here goes. > > I am working on a project where we are implementing our server (Notes) > to use International Step-Up Encryption (Server Gated Cryptograpy) > Certificates. We want to generate our own certificates for testing, and > we have managed to do so using the JCE Toolkit. They are however > standard CErtificates. not Step-up certificates. > > I want to generate a certificate, which allows a Step-Up from an Export > RC4 - 40 bit secret to a true 128 bit RC-4. I read om the netscape > devloper site: > http://developer.netscape.com:80/tech/security/stepup/overview.html > that you require a special type of certificate. I know a coouple of > sites that use it, and so made a SSLClient app that printed off the > certificate of such servers, and found that there were 4-5 V3 Extensions > on the certificates. > > 3 of them are known types, but 2 are unknowm. > > So the question is, is there anywhere (link to doco) where I can find > the meaning of these codes? or can anyone explain the meaning of these 2 > extensions. The extensions were the same for all 3 sites I checked: > > [Ext 0 - (class iaik.x509.UnknownExtension)] > UnknownExtension: OBJECT ID = 2.16.840.1.113718.104.22.168 > IA5String = "34c028ac3c6b51e18a3452077fc24f2c" <<< NB: Different for > each CERT, and One did not have this. > > [Ext 1 (class iaik.x509.extensions.netscape.NetscapeCertType)] > NetscapeCertType: SSL Server > > [Ext 2 - (class iaik.x509.UnknownExtension)] > UnknownExtension: OBJECT ID = 22.214.171.124 > SEQUENCE[C] = 1 elements > SEQUENCE[C] = 1 elements > SEQUENCE[C] = 2 elements > OBJECT ID = 2.16.840.1.1137126.96.36.199.1 > SEQUENCE[C] = 4 elements > IA5String = "This certificate incorporates by reference, and its > use is strictly subject to, the VeriSign Certification Practice > Statement (CPS), available at: https://www.verisign.com/CPS; by E-mail > at CPSfirstname.lastname@example.org; or by mail at VeriSign, Inc., 2593 Coast > Ave., Mountain View, CA 94043 USA Tel. +1 (415) 961-8830 Copyright (c) > 1996 VeriSign, Inc. All Rights Reserved. CERTAIN WARRANTIES DISCLAIMED > and LIABILITY LIMITED." > CONTEXTSPECIFIC[C] =  EXPLICIT > OBJECT ID = 2.16.840.1.1137188.8.131.52.1.1 > CONTEXTSPECIFIC[C] =  EXPLICIT > OBJECT ID = 2.16.840.1.1137184.108.40.206.1.2 > SEQUENCE[C] = 1 elements > SEQUENCE[C] = 1 elements > IA5String = "https://www.verisign.com/repository/CPS " > > [Ext 3 - (class iaik.x509.extensions.BasicConstraints)] > CA: no > [Ext 4 - (class iaik.x509.extensions.ExtendedKeyUsage)] > KeyPurposeId 0: 2.16.840.1.113730.4.1 > > > So the question is: > > What are Object ID's: > > 2.16.840.1.1137220.127.116.11 > 18.104.22.168 > > and for iaik.x509.extensions.ExtendedKeyUsage > what is KeypurposeId: 2.16.840.1.113730.4.1? > > A refernce to a site ould be good. > > Thanks.