iPlanet Certificate Management System Installation and Setup Guide: Appendix C Export Control Information

Previous Contents Index Next

iPlanet Certificate Management System Installation and Setup Guide

Appendix C Export Control Information

This appendix describes the cryptographic operations, key lengths, and cipher suites that have received US government approval for the export-controlled version of iPlanet Certificate Management Server. It does not describe the global version of Certificate Management System.
In most cases, the full-strength encryption version (or global version) of Certificate Management System is exportable outside of the United States of America. Certificate Management System has received "retail" status from the United States Department of Commerce Bureau of Export Administration; under new regulations, retail status makes it possible to export Certificate Management System with the same encryption and cryptographic features available in the US and Canada.
The global version of Certificate Management System is still not exportable to the following persons:

End-users in nine prohibited destinations: Afghanistan (Taliban-controlled areas), Cuba, Iran, Iraq, Libya, North Korea, Serbia (except Kosovo), Sudan, and Syria

Persons prohibited by US law from receiving exports (including Denied Parties, Denied Entities, and Specially Designated Nationals)
Other conditions may apply which require that only the export-controlled version of Certificate Management System be made available to certain persons. For example, local laws may prohibit importing strong encryption, US law may change in the future, or Certificate Management System may come as part of a larger software bundle that does not receive retail status from the US government.
This appendix has the following sections:

Approved Export Operations and Key Sizes

SSL Cipher Suite Profiles for Export

Approved Export Operations and Key Sizes

Table C-1 lists all cryptographic operations available in the export-controlled version of Certificate Management System, and the key strength or algorithm strength allowed for each operation. The term export-strength is defined in SSL Cipher Suite Profiles for Export.

Table C-1 Approved export operations and key lengths

Description of cryptographic operation

Key length or algorithm strength

SSL connections: from end entity to Registration Manager [HTML forms]

export-strength SSL

SSL connections: from end entity to Registration Manager [CSR processors]

export-strength SSL

SSL connections: from Registration Manager to Certificate Manager

export-strength SSL

SSL connections: from Registration Manager to Data Recovery Manager

export-strength SSL

SSL connections: from Registration Manager to Directory

export-strength SSL

SSL connections: from Certificate Manager to Directory

export-strength SSL

SSL connections: from iPlanet Console to Registration Manager, Certificate Manager, and Data Recovery Manager subsystems

export-strength SSL

Generation, verification, and storage of PQG parameters along with DSA certificates

P,G <= 4096 and Q=160 bits

Generation, signing (encryption), verifying (decryption), and storage of RSA keys for the purpose of signing/verifying X.509 digital certificates

key <= 4096 bits

Generation, signing (encryption), verifying (decryption), and storage of DSA keys for the purpose of signing/verifying X.509 digital certificates

key <= 4096 bits

Generation, signing, verifying, and storage of RSA keys for the purpose of client authentication from Registration Manager to Certificate Manager subsystems

key <= 4096 bits

Generation, signing, verifying, and storage of RSA keys for the purpose of client authentication from Registration Manager to Data Recovery Manager subsystems

key <= 4096 bits

Generation, signing, verifying, and storage of RSA keys for the purpose of client authentication from Registration Manager subsystems to Directory

key <= 4096 bits

Generation, signing, verifying, and storage of DSA keys for the purpose of client authentication from Registration Manager to Certificate Manager subsystems

key <= 4096 bits

Generation, signing, verifying, and storage of DSA keys for the purpose of client authentication from Registration Manager to Data Recovery Manager subsystems

key <= 4096 bits

Generation, signing, verifying, and storage of DSA keys for the purpose of client authentication from Registration Manager subsystems to Directory

key <= 4096 bits

Generation, signing, verifying, and storage of RSA keys for the purpose of client authentication between Registration Manager, Certificate Manager, and Data Recovery Manager subsystems

key <= 4096 bits

Generation, signing, verifying, and storage of DSA keys for the purpose of client authentication between Registration Manager, Certificate Manager, and Data Recovery Manager subsystems

key <= 4096 bits

Generation, signing, verifying, and storage of RSA keys for the purpose of SSL server authentication of the Registration Manager

authentication key <= 4096 bits
key exchange key <= 1024 bits

Generation, signing, verifying, and storage of RSA keys for the purpose of SSL server authentication of the Certificate Manager

authentication key <= 4096 bits
key exchange key <= 1024 bits

Generation, signing, verifying, and storage of RSA keys for the purpose of SSL server authentication of the Data Recovery Manager

authentication key <= 4096 bits
key exchange key <= 1024 bits

Generation, signing, verifying, and storage of DSA keys for the purpose of SSL server authentication of the Registration Manager

authentication key <= 4096 bits
key exchange key <= 1024 bits

Generation, signing, verifying, and storage of DSA keys for the purpose of SSL server authentication of the Certificate Manager

authentication key <= 4096 bits
key exchange key <= 1024 bits

Generation, signing, verifying, and storage of DSA keys for the purpose of SSL server authentication of the Data Recovery Manager

authentication key <= 4096 bits
key exchange key <= 1024 bits

Signature and verification of CMMF/CRMF messages by Certificate Manager, Registration Manager, and Data Recovery Manager using RSA algorithm

key <= 4096 bits

Signature and verification of CMMF/CRMF messages by Certificate Manager, Registration Manager, and Data Recovery Manager using DSA algorithm

key <= 4096 bits

Transport key for Data Recovery Manager: generation, storage, and verification of RSA key for the purpose of transport of end-entity private keys to the Data Recovery Manager (unwrap of keys)

key <= 4096 bits

Long-term storage key for Data Recovery Manager: generation, storage, encryption, and decryption using RSA key for the purpose of long term storage of end-entity private keys (wrap and unwrap of keys for storage and recovery)

key <= 4096 bits

Bulk ciphers for use in encrypting key material for long term storage within Data Recovery Manager

DES-EDE3, RC2-128, RC2-40, DES

Bulk ciphers for use in encrypting key material for transport between Registration Manager and Data Recovery Manager

DES-EDE3, RC2-128, RC2-40, DES

SSL Cipher Suite Profiles for Export

Table C-2 summarizes the cipher suite profiles approved by the US government for use in the export-controlled version of Certificate Management System.

Table C-2 SSL 3.0 export-approved cipher suite profiles for Export

SSL Protocol Version

Cipher-key length (mode) and hash algorithm

SSL2

RC4-128-EXPORT40-WITH-MD5

RC2-128-CBC-EXPORT40-WITH-MD5

SSL3

RSA-WITH-RC4-40-MD5

RSA-EXPORT56-WITH-RC4-MD5

RSA-WITH-RC2-CBC-40-MD5

RSA-EXPORT56-WITH-RC2-CBC-MD5

RSA-EXPORT-WITH-DES40-CBC-SHA

RSA-EXPORT56-WITH-DES-CBC-SHA

RSA-WITH-NULL-MD5

RSA-WITH-NULL-SHA

Description of cryptographic operation	Key length or algorithm strength
SSL connections: from end entity to Registration Manager [HTML forms]	export-strength SSL
SSL connections: from end entity to Registration Manager [CSR processors]	export-strength SSL
SSL connections: from Registration Manager to Certificate Manager	export-strength SSL
SSL connections: from Registration Manager to Data Recovery Manager	export-strength SSL
SSL connections: from Registration Manager to Directory	export-strength SSL
SSL connections: from Certificate Manager to Directory	export-strength SSL
SSL connections: from iPlanet Console to Registration Manager, Certificate Manager, and Data Recovery Manager subsystems	export-strength SSL
Generation, verification, and storage of PQG parameters along with DSA certificates	P,G <= 4096 and Q=160 bits
Generation, signing (encryption), verifying (decryption), and storage of RSA keys for the purpose of signing/verifying X.509 digital certificates	key <= 4096 bits
Generation, signing (encryption), verifying (decryption), and storage of DSA keys for the purpose of signing/verifying X.509 digital certificates	key <= 4096 bits
Generation, signing, verifying, and storage of RSA keys for the purpose of client authentication from Registration Manager to Certificate Manager subsystems	key <= 4096 bits
Generation, signing, verifying, and storage of RSA keys for the purpose of client authentication from Registration Manager to Data Recovery Manager subsystems	key <= 4096 bits
Generation, signing, verifying, and storage of RSA keys for the purpose of client authentication from Registration Manager subsystems to Directory	key <= 4096 bits
Generation, signing, verifying, and storage of DSA keys for the purpose of client authentication from Registration Manager to Certificate Manager subsystems	key <= 4096 bits
Generation, signing, verifying, and storage of DSA keys for the purpose of client authentication from Registration Manager to Data Recovery Manager subsystems	key <= 4096 bits
Generation, signing, verifying, and storage of DSA keys for the purpose of client authentication from Registration Manager subsystems to Directory	key <= 4096 bits
Generation, signing, verifying, and storage of RSA keys for the purpose of client authentication between Registration Manager, Certificate Manager, and Data Recovery Manager subsystems	key <= 4096 bits
Generation, signing, verifying, and storage of DSA keys for the purpose of client authentication between Registration Manager, Certificate Manager, and Data Recovery Manager subsystems	key <= 4096 bits
Generation, signing, verifying, and storage of RSA keys for the purpose of SSL server authentication of the Registration Manager	authentication key <= 4096 bits key exchange key <= 1024 bits
Generation, signing, verifying, and storage of RSA keys for the purpose of SSL server authentication of the Certificate Manager	authentication key <= 4096 bits key exchange key <= 1024 bits
Generation, signing, verifying, and storage of RSA keys for the purpose of SSL server authentication of the Data Recovery Manager	authentication key <= 4096 bits key exchange key <= 1024 bits
Generation, signing, verifying, and storage of DSA keys for the purpose of SSL server authentication of the Registration Manager	authentication key <= 4096 bits key exchange key <= 1024 bits
Generation, signing, verifying, and storage of DSA keys for the purpose of SSL server authentication of the Certificate Manager	authentication key <= 4096 bits key exchange key <= 1024 bits
Generation, signing, verifying, and storage of DSA keys for the purpose of SSL server authentication of the Data Recovery Manager	authentication key <= 4096 bits key exchange key <= 1024 bits
Signature and verification of CMMF/CRMF messages by Certificate Manager, Registration Manager, and Data Recovery Manager using RSA algorithm	key <= 4096 bits
Signature and verification of CMMF/CRMF messages by Certificate Manager, Registration Manager, and Data Recovery Manager using DSA algorithm	key <= 4096 bits
Transport key for Data Recovery Manager: generation, storage, and verification of RSA key for the purpose of transport of end-entity private keys to the Data Recovery Manager (unwrap of keys)	key <= 4096 bits
Long-term storage key for Data Recovery Manager: generation, storage, encryption, and decryption using RSA key for the purpose of long term storage of end-entity private keys (wrap and unwrap of keys for storage and recovery)	key <= 4096 bits
Bulk ciphers for use in encrypting key material for long term storage within Data Recovery Manager	DES-EDE3, RC2-128, RC2-40, DES
Bulk ciphers for use in encrypting key material for transport between Registration Manager and Data Recovery Manager	DES-EDE3, RC2-128, RC2-40, DES

SSL Protocol Version	Cipher-key length (mode) and hash algorithm
SSL2	RC4-128-EXPORT40-WITH-MD5
RC2-128-CBC-EXPORT40-WITH-MD5
SSL3	RSA-WITH-RC4-40-MD5
RSA-EXPORT56-WITH-RC4-MD5
RSA-WITH-RC2-CBC-40-MD5
RSA-EXPORT56-WITH-RC2-CBC-MD5
RSA-EXPORT-WITH-DES40-CBC-SHA
RSA-EXPORT56-WITH-DES-CBC-SHA
RSA-WITH-NULL-MD5
RSA-WITH-NULL-SHA

Previous Contents Index Next
Copyright © 2002 Sun Microsystems, Inc. All rights reserved.

Last Updated October 07, 2002