[openssl-commits] [web] master update

Matt Caswell matt at openssl.org
Tue Jun 13 11:48:47 UTC 2017

The branch master has been updated
       via  ce61d943df47682d26c85d02a729c87b947064a9 (commit)
      from  c8951be9c9304625caba1c9d37556e84210ec76b (commit)

- Log -----------------------------------------------------------------
commit ce61d943df47682d26c85d02a729c87b947064a9
Author: Matt Caswell <matt at openssl.org>
Date:   Tue Jun 13 11:25:58 2017 +0100

    Remove FAQ about SGC and step-up certs
    These are not typically used any more.
    Reviewed-by: Tim Hudson <tjh at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/13)


Summary of changes:
 docs/faq-2-user.txt | 36 ------------------------------------
 1 file changed, 36 deletions(-)

diff --git a/docs/faq-2-user.txt b/docs/faq-2-user.txt
index 7e8ca35..896da42 100644
--- a/docs/faq-2-user.txt
+++ b/docs/faq-2-user.txt
@@ -175,42 +175,6 @@ interface, the "-nameopt" option could be introduced. See the manual
 page of the "openssl x509" command line tool for details. The old behaviour
 has however been left as default for the sake of compatibility.
-* What is a "128 bit certificate"? Can I create one with OpenSSL?
-The term "128 bit certificate" is a highly misleading marketing term. It does
-not refer to the size of the public key in the certificate! A certificate
-containing a 128 bit RSA key would have negligible security.
-There were various other names such as "magic certificates", "SGC
-certificates", "step up certificates" etc.
-You can't generally create such a certificate using OpenSSL but there is no
-need to any more. Nowadays web browsers using unrestricted strong encryption
-are generally available.
-When there were tight restrictions on the export of strong encryption
-software from the US only weak encryption algorithms could be freely exported
-(initially 40 bit and then 56 bit). It was widely recognised that this was
-inadequate. A relaxation of the rules allowed the use of strong encryption but
-only to an authorised server.
-Two slightly different techniques were developed to support this, one used by
-Netscape was called "step up", the other used by MSIE was called "Server Gated
-Cryptography" (SGC). When a browser initially connected to a server it would
-check to see if the certificate contained certain extensions and was issued by
-an authorised authority. If these test succeeded it would reconnect using
-strong encryption.
-Only certain (initially one) certificate authorities could issue the
-certificates and they generally cost more than ordinary certificates.
-Although OpenSSL can create certificates containing the appropriate extensions
-the certificate would not come from a permitted authority and so would not
-be recognized.
-The export laws were later changed to allow almost unrestricted use of strong
-encryption so these certificates are now obsolete.
 * Why does OpenSSL set the authority key identifier (AKID) extension incorrectly?
 It doesn't: this extension is often the cause of confusion.

More information about the openssl-commits mailing list