Gervase Markham wrote, On 2009-01-20 20:33: > Nelson B Bolyard wrote: >> In Mozilla products, no roots have ever been SGC enabled. >> Some roots were, and still are, marked as trusted for SSL Step Up. >> Here's a list. > > Is the marking internal to or external to the cert? The fact that you > say no certs have ever been SGC-enabled makes me suspect that it's the > latter, because some of the major certs on the list are ones I would > expect to be SGC-enabled in IE.
SSL Step Up is enabled by a trust flag. There has never been any UI for setting or clearing that flag. It is set "at the factory". Any CA cert added by the browser will not have that flag. If a root CA cert that has that flag is deleted and re-added, it will no longer have that flag. > If it is the latter, what would be the effect of us removing the SSL > Step Up trust bit in NSS for the list of roots you give? No effect whatsoever. The bit has no effect today in any Mozilla browser produced in the last 6 years (at least). It is purely a historic artifact, of interest now only to software historians and archeologists, and some CAs who still sell certs with those OIDs as holy relics. The only way you could have any effect would be to retroactively remove that trust bit in browsers that are now 6+ years old. SGC and SSL Step up are simply irrelevant to modern browsers. They may have some slight relevance to ancient browsers still in use, but I doubt it. I hope no-one is doing online banking with Netscape Communicator 4.5! > Gerv _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
