40-bits certificate

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

40-bits certificate

imana sakki
hello every one
in verisign I saw correctly (their web pages) they are actually selling certificates for 40
bit and for 128 bit encryption, what dose it mean? is there a parameter in the certificate that determines the size of session key? if you understand, please explain for me. I'm  thank you very much.


Yahoo! FareChase - Search multiple travel sites in one click.
Reply | Threaded
Open this post in threaded view
|

Re: 40-bits certificate

Dr. Stephen Henson
On Tue, Oct 25, 2005, imana sakki wrote:

> hello every one
> in verisign I saw correctly (their web pages) they are actually selling certificates for 40
> bit and for 128 bit encryption, what dose it mean? is there a parameter in the certificate that determines the size of session key? if you understand, please explain for me. I'm  thank you very much.
>
>

See http://www.openssl.org/support/faq.html#USER14

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: 40-bits certificate

Vladimir E. Protaschuk
Dr. Stephen Henson wrote:
On Tue, Oct 25, 2005, imana sakki wrote:

  
hello every one
in verisign I saw correctly (their web pages) they are actually selling certificates for 40
bit and for 128 bit encryption, what dose it mean? is there a parameter in the certificate that determines the size of session key? if you understand, please explain for me. I'm  thank you very much.

		
    

  
Hi Steve, if You have tto using 128 bit encryption - see Server Gated Crypto  attribute
Vladimir E. Protaschuk
See http://www.openssl.org/support/faq.html#USER14

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]


  


-- 

http://www.utn.com.ua/
====================================================
Использование средств цифровой подписи в сочетании
с шифрованием пересылаемых данных помогает избежать
возможности изменения и прочтения конфиденциальной
информации в вашей электронной переписке с партне-
рами и друзьями.
====================================================
IN WEB WE TRUST - Ukraine Trust Network

director.vcf (2K) Download Attachment
smime.p7s (11K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

X509_verify return

David Brock
In reply to this post by Dr. Stephen Henson
Using X509_verify is there a way (programmatically) to tell if the
certificate verification failed because of an unknown CA versus a
corrupted certificate?

Thanks,

                     -David-
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: X509_verify return

Dr. Stephen Henson
On Tue, Oct 25, 2005, David Brock wrote:

> Using X509_verify is there a way (programmatically) to tell if the
> certificate verification failed because of an unknown CA versus a
> corrupted certificate?
>

Depends on how the certificate is corrupted.

Some kinds of corruption will be trapped by the ASN1 parser and so this wont
even reach the vertification routines.

Most other forms of corruption wil cause the signature check to fail.

Some unlikely ones could corrupt the certificate subject name while still
remaining valid ASN1. Those would themselves produce an unknown CA error.

That aside the verification failure reason is sufficient to tell the
difference.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: 40-bits certificate

imana sakki
In reply to this post by Dr. Stephen Henson
hello
thank's for your answer,
I want to know that wich parameter in the certificate signed by verisign, determines that it is 128-bits or 40-bits?   

"Dr. Stephen Henson" <[hidden email]> wrote:
On Tue, Oct 25, 2005, imana sakki wrote:

> hello every one
> in verisign I saw correctly (their web pages) they are actually selling certificates for 40
> bit and for 128 bit encryption, what dose it mean? is there a parameter in the certificate that determines the size of session key? if you understand, please explain for me. I'm thank you very much.
>
>

See http://www.openssl.org/support/faq.html#USER14

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [hidden email]
Automated List Manager [hidden email]


Yahoo! FareChase - Search multiple travel sites in one click.
Reply | Threaded
Open this post in threaded view
|

Re: 40-bits certificate

Dr. Stephen Henson
On Fri, Oct 28, 2005, imana sakki wrote:

> hello thank's for your answer, I want to know that wich parameter in the
> certificate signed by verisign, determines that it is 128-bits or 40-bits?  
>

As the FAQ entry says these days just about any browser or server will use 128
bits automatically for any certificate. Its just a few obsolete "export"
browsers that need the extension, by far the best advice would be to get the
browser upgraded.

If you really want to know there are two parameters. These are part of the
extended key usage (EKU) extension. These are called "Microsoft Server Gated
Crtpto" and "Netcape Server Gated Crypto" though "Netscape Step Up" would be a
more accurate name. Every certificate in the chain with the exception of the
root must include these.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]