Encrypted sessions

[Nicholas Bohm]

I was left uncertain by recent exchanges about Server Gated Technology, and
in the hope of enlightenment (and tolerance) from experts on the list,
would like to state the questions as I understand them.

I use Netscape, and have "fortified" it.  As I understand it, this means
that it can establish an SSL session based on a 128-bit symmetric key if
the server is capable of doing this (whereas crippled Netscape, and any
non-US version of MS IE, can only use a 40-bit key).  Right so far?

What I want to ask about is the server side, and whether there is a
corresponding problem.  Is there lots of server software available for
people who want sites that can set up 128-bit SSL sessions, or is there
lots of crippled software that can only set up 40-bit sessions?  Is there a
server equivalent of PGP or Fortify, so that everyman can if he wants set
up servers that support secure SSL sessions?  Is this what Apache servers
can do?

Is there some simple way to tell what strength session has been established?

I gather that there is some deal where banks can get a certificate from
someone that lets them enable 128-bit sessions on software that, in the
absence of the certificate, sets up only 40-bit sessions:  will
export-crippled browsers nevertheless be able to establish 128-bit sessions
with such servers?

Lastly, is it right to assume that in all these cases the key negotiation
process itself is secure, and that only the strength of the resulting key
is what is affected by the limitations?

Regards,

Nicholas Bohm

Salkyns, Great Canfield,
Takeley, Bishop's Stortford CM22 6SX, UK

Phone		01279 871272	(+44 1279 871272)
Fax		01279 870215	(+44 1279 870215)
Mobile   	0860 636749  	(+44 860 636749)

PGP RSA 1024 bit public key ID: 0x08340015.  Fingerprint:
9E 15 FB 2A 54 96 24 37  98 A2 E0 D1 34 13 48 07
PGP DSS/DH 1024/3072 public key ID: 0x899DD7FF.  Fingerprint:
5248 1320 B42E 84FC 1E8B  A9E6 0912 AE66 899D D7FF