[thelist] security certificates

Paul Cowan paul at wishlist.com.au
Wed Aug 22 00:22:35 CDT 2001


> P.S.: Anyone: are all browsers able to authenticate 128-bits 
> keys nowadays?

As I understand it (your mileage may, as always, vary), you're generally
pretty right now; but I guess 128-bit can't be used exclusively, as there
are still 'export' versions of various browser/OS combos which are shipped
to what the US Government might call "rogue states".

I am not aware of any browsers that 'choke' on keys that use 'SGC' 
(Server-Gated Cryptography) or 'Step-Up' encryption, however. This
is where 128-bit connection security is 'negotiated' with the client, 
and if the client can't cope, 56-bit security is used off the same 
certificate (Thawte call these 'SuperCerts'), as long as your web 
server supports it.

We use SGC certificates, anyway, and we haven't had any reports of dramas
from overseas browsers.

Caveat: there are bugs in IIS which means that if you're using an SGC
cert, Netscape 4.x will crash on SSL connection, unless you apply a patch.
see:
http://support.microsoft.com/support/kb/articles/Q249/8/63.ASP
http://support.microsoft.com/support/kb/articles/Q260/2/66.ASP


Cheers,

Paul




More information about the thelist mailing list