srdavid...@gmail.com wrote, On 2009-01-20 11:48: >> Yes, those browsers allowed SGC/Step-up only for a restricted list of >> pre-installed root CA certificates. > > Anyone have a list of the specific roots that are SGC enabled? > Many of them must be due for expiry soon.
SSL Step Up is different from SGC. Certs that are marked as valid for SGC are not necessarily also valid for SSL Step Up, and vice versa. Both SSL Step Up and SGC have separate OIDs that enable them. In Mozilla products, no roots have ever been SGC enabled. Some roots were, and still are, marked as trusted for SSL Step Up. Here's a list. Verisign/RSA Secure Server CA GTE CyberTrust Root CA GTE CyberTrust Global Root Thawte Server CA Thawte Premium Server CA ABAecom (sub., Am. Bankers Assn.) Root CA Digital Signature Trust Co. Global CA 1 Digital Signature Trust Co. Global CA 2 Digital Signature Trust Co. Global CA 3 Digital Signature Trust Co. Global CA 4 Verisign Class 3 Public Primary Certification Authority Verisign Class 4 Public Primary Certification Authority - G2 Verisign Class 4 Public Primary Certification Authority - G3 > Is the intent to renew/replace them with SGC super-powers, or to let > SGC fade away? SSL Step Up is completely moot in all Mozilla (and Netscape) browsers made since year 2001 or 2002. It was only ever relevant to "export" class browsers exported from the USA. That does not include any Mozilla browser made since PSM was integrated into Mozilla. Today, if there remains ANY relevance of SSL Step Up (or SGC) to anything, it is only to the extent that export client products developed in the USA before year 2002 are still in use. Some of us believe that few, if any, such clients are still in use. The security concerns for any such old products would be very grave indeed. I suspect that the reason for Gerv's inquiry was to try to collect statistics on the number of such clients actually still in use. It is necessary to know which clients to look for when amassing such stats. The set of browsers using SGC would include products that embed IE's http engine and run on old export-grade versions of Windows, probably pre-dating XP. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
