Appendix C
Export Control Information
This appendix describes the cryptographic operations, key lengths, and cipher suites that have received US government approval for the export-controlled version of iPlanet Certificate Management System. It does not describe the global version of Certificate Management System.
In most cases, the full-strength encryption version (or global version) of Certificate Management System is exportable outside of the United States of America. Certificate Management System has received "retail" status from the United States Department of Commerce Bureau of Export Administration; under new regulations, retail status makes it possible to export Certificate Management System with the same encryption and cryptographic features available in the US and Canada.
The global version of Certificate Management System is still not exportable to the following persons:
End-users in nine prohibited destinations: Afghanistan (Taliban-controlled areas), Cuba, Iran, Iraq, Libya, North Korea, Serbia (except Kosovo), Sudan, and Syria
Persons prohibited by US law from receiving exports (including Denied Parties, Denied Entities, and Specially Designated Nationals)
Other conditions may apply which require that only the export-controlled version of Certificate Management System be made available to certain persons. For example, local laws may prohibit importing strong encryption, US law may change in the future, or Certificate Management System may come as part of a larger software bundle that does not receive retail status from the US government.
This appendix has the following sections:
Approved Export Operations and Key Sizes
Table C-1 lists all cryptographic operations available in the export-controlled version of Certificate Management System, and the key strength or algorithm strength allowed for each operation. The term export-strength is defined in SSL Cipher Suite Profiles for Export.
Table C-1    Approved export operations and key lengths
Description of cryptographic operation
|
Key length or algorithm strength
|
SSL connections: from end entity to Registration Manager [HTML forms]
|
export-strength SSL
|
SSL connections: from end entity to Registration Manager [CSR processors]
|
export-strength SSL
|
SSL connections: from Registration Manager to Certificate Manager
|
export-strength SSL
|
SSL connections: from Registration Manager to Data Recovery Manager
|
export-strength SSL
|
SSL connections: from Registration Manager to Directory
|
export-strength SSL
|
SSL connections: from Certificate Manager to Directory
|
export-strength SSL
|
SSL connections: from Netscape Console to Registration Manager, Certificate Manager, and Data Recovery Manager subsystems
|
export-strength SSL
|
Generation, verification, and storage of PQG parameters along with DSA certificates
|
P,G <= 4096 and Q=160 bits
|
Generation, signing (encryption), verifying (decryption), and storage of RSA keys for the purpose of signing/verifying X.509 digital certificates
|
key <= 4096 bits
|
Generation, signing (encryption), verifying (decryption), and storage of DSA keys for the purpose of signing/verifying X.509 digital certificates
|
key <= 4096 bits
|
Generation, signing, verifying, and storage of RSA keys for the purpose of client authentication from Registration Manager to Certificate Manager subsystems
|
key <= 4096 bits
|
Generation, signing, verifying, and storage of RSA keys for the purpose of client authentication from Registration Manager to Data Recovery Manager subsystems
|
key <= 4096 bits
|
Generation, signing, verifying, and storage of RSA keys for the purpose of client authentication from Registration Manager subsystems to Directory
|
key <= 4096 bits
|
Generation, signing, verifying, and storage of DSA keys for the purpose of client authentication from Registration Manager to Certificate Manager subsystems
|
key <= 4096 bits
|
Generation, signing, verifying, and storage of DSA keys for the purpose of client authentication from Registration Manager to Data Recovery Manager subsystems
|
key <= 4096 bits
|
Generation, signing, verifying, and storage of DSA keys for the purpose of client authentication from Registration Manager subsystems to Directory
|
key <= 4096 bits
|
Generation, signing, verifying, and storage of RSA keys for the purpose of client authentication between Registration Manager, Certificate Manager, and Data Recovery Manager subsystems
|
key <= 4096 bits
|
Generation, signing, verifying, and storage of DSA keys for the purpose of client authentication between Registration Manager, Certificate Manager, and Data Recovery Manager subsystems
|
key <= 4096 bits
|
Generation, signing, verifying, and storage of RSA keys for the purpose of SSL server authentication of the Registration Manager
|
authentication key <= 4096 bits key exchange key <= 1024 bits
|
Generation, signing, verifying, and storage of RSA keys for the purpose of SSL server authentication of the Certificate Manager
|
authentication key <= 4096 bits key exchange key <= 1024 bits
|
Generation, signing, verifying, and storage of RSA keys for the purpose of SSL server authentication of the Data Recovery Manager
|
authentication key <= 4096 bits key exchange key <= 1024 bits
|
Generation, signing, verifying, and storage of DSA keys for the purpose of SSL server authentication of the Registration Manager
|
authentication key <= 4096 bits key exchange key <= 1024 bits
|
Generation, signing, verifying, and storage of DSA keys for the purpose of SSL server authentication of the Certificate Manager
|
authentication key <= 4096 bits key exchange key <= 1024 bits
|
Generation, signing, verifying, and storage of DSA keys for the purpose of SSL server authentication of the Data Recovery Manager
|
authentication key <= 4096 bits key exchange key <= 1024 bits
|
Signature and verification of CMMF/CRMF messages by Certificate Manager, Registration Manager, and Data Recovery Manager using RSA algorithm
|
key <= 4096 bits
|
Signature and verification of CMMF/CRMF messages by Certificate Manager, Registration Manager, and Data Recovery Manager using DSA algorithm
|
key <= 4096 bits
|
Transport key for Data Recovery Manager: generation, storage, and verification of RSA key for the purpose of transport of end-entity private keys to the Data Recovery Manager (unwrap of keys)
|
key <= 4096 bits
|
Long-term storage key for Data Recovery Manager: generation, storage, encryption, and decryption using RSA key for the purpose of long term storage of end-entity private keys (wrap and unwrap of keys for storage and recovery)
|
key <= 4096 bits
|
Bulk ciphers for use in encrypting key material for long term storage within Data Recovery Manager
|
DES-EDE3, RC2-128, RC2-40, DES
|
Bulk ciphers for use in encrypting key material for transport between Registration Manager and Data Recovery Manager
|
DES-EDE3, RC2-128, RC2-40, DES
|
SSL Cipher Suite Profiles for Export
Table C-2 summarizes the cipher suite profiles approved by the US government for use in the export-controlled version of Certificate Management System.
Table C-2    SSL 3.0 export-approved cipher suite profiles for Export
SSL Protocol Version
|
Cipher-key length (mode) and hash algorithm
|
SSL2
|
RC4-128-EXPORT40-WITH-MD5
|
RC2-128-CBC-EXPORT40-WITH-MD5
|
SSL3
|
RSA-WITH-RC4-40-MD5
|
RSA-EXPORT56-WITH-RC4-MD5
|
RSA-WITH-RC2-CBC-40-MD5
|
RSA-EXPORT56-WITH-RC2-CBC-MD5
|
RSA-EXPORT-WITH-DES40-CBC-SHA
|
RSA-EXPORT56-WITH-DES-CBC-SHA
|
RSA-WITH-NULL-MD5
|
RSA-WITH-NULL-SHA
|