OCSP-in-DNS (was Re: For discussion: MECAI: Mutually Endorsing CA Infrastructure)
On Wednesday 07 Dec 2011 04:19:09 Kai Engert wrote: > I haven't researched, but has anyone already thought of distributing > OCSP records using DNS in general? > > If we had OCSP-in-DNS, we might not even require OCSP stapling. This > could run as a service completely independent of the SSL servers - only > clients would need to be updated to fetch OCSP from DNS - does this make > sense? Hi Kai. We discussed OCSP-in-DNS over at m.d.s.policy earlier this year... https://groups.google.com/group/mozilla.dev.security.policy/browse_thread/thread/a5f14bbd3159c44f/446abd478dc847ec (it's a long thread, but it does contain a lot of useful thoughts) Recalling that discussion, Gerv recently said... https://mail1.eff.org/pipermail/observatory/2011-September/000405.html "...the arguments for something DNS-based are IMO very strong (much better privacy story, very hard to DOS, cached and distributed)." Peter Gutmann lists numerous deficiencies with the OCSP protocol - e.g. see here... https://mail1.eff.org/pipermail/observatory/2011-September/000330.html I think that any future DNS-based certificate status checking protocols should at least consider addressing some of these issues. Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: SSL_ConfigSecureServer and on the fly cert generation
On Dec 2, 6:26 pm, Robert Relyea wrote: > On 12/02/2011 07:46 AM, passfree wrote:> I am writing an experimental tool > and I need to generate an SSL server > > on the fly. Needless to say, NSS seams like the perfect choice but > > here is where I am stuck. > > > SSL_ConfigSecureServer excepts a cert a key and a type. I've tried to > > look into certutil to see how these are generated but I find it really > > confusing. Can someone point me towards the right direction how to > > make these stuff in memory without the need to use the certutill? > > Cert generation needs more than just certutil. You'll need to attach to > some CA and have it sign your certificate. You may want to look at > dogtag (an open source CA). > > For testing, you can look at the examples in the NSS tests: > mozilla/security/nss/tests/cert/certs.sh for how to generate cert chains > and keys in certutil. > > > I just need to generate a random CERTCertificate, the corresponding > > SECKEYPrivateKey. I can get the type myself. > > > Your help is much appreciated. > > If you want to do that programatically, look at certutil's code for > generating a cert request. That will give you a private key and a > corresponding cert request to send to a CA. The API for taking to a CA > is CA specific, but the CA will take your cert request along with your > authorization info (specific to the CA), the CA will return a DER cert. > You can then call > CERT_NewTempCertificate() on the blob to get a > CERTCertificate(), then call > PK11_ImportCertForKey() on the CERTCertificate() > so the NSS will pair it up with the already existing private key (NSS > will automatically find the private key). > > bob Is it possible to start NSS_Init without creating dbs? I guess what I am asking if I can have all of this in memory rather than on disc. I need to create a self-contained executable. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: SSL_ConfigSecureServer and on the fly cert generation
On 12/07/2011 07:01 AM, passfree wrote: > On Dec 2, 6:26 pm, Robert Relyea wrote: >> On 12/02/2011 07:46 AM, passfree wrote:> I am writing an experimental tool >> and I need to generate an SSL server >>> on the fly. Needless to say, NSS seams like the perfect choice but >>> here is where I am stuck. >>> SSL_ConfigSecureServer excepts a cert a key and a type. I've tried to >>> look into certutil to see how these are generated but I find it really >>> confusing. Can someone point me towards the right direction how to >>> make these stuff in memory without the need to use the certutill? >> Cert generation needs more than just certutil. You'll need to attach to >> some CA and have it sign your certificate. You may want to look at >> dogtag (an open source CA). >> >> For testing, you can look at the examples in the NSS tests: >> mozilla/security/nss/tests/cert/certs.sh for how to generate cert chains >> and keys in certutil. >> >>> I just need to generate a random CERTCertificate, the corresponding >>> SECKEYPrivateKey. I can get the type myself. >>> Your help is much appreciated. >> If you want to do that programatically, look at certutil's code for >> generating a cert request. That will give you a private key and a >> corresponding cert request to send to a CA. The API for taking to a CA >> is CA specific, but the CA will take your cert request along with your >> authorization info (specific to the CA), the CA will return a DER cert. >> You can then call >> CERT_NewTempCertificate() on the blob to get a >> CERTCertificate(), then call >> PK11_ImportCertForKey() on the CERTCertificate() >> so the NSS will pair it up with the already existing private key (NSS >> will automatically find the private key). >> >> bob > Is it possible to start NSS_Init without creating dbs? I guess what I > am asking if I can have all of this in memory rather than on disc. I > need to create a self-contained executable. Yes, though if you are trying to start an SSL server, you need to get a cert from somewhere. You aren't allowed to just create a cert on your own on the fly -- if you could, SSL would loose all it's utility. In order to do what you want to do, you'd have to have some connection to a CA to sign your certificate once you created it on the fly. You'd need to be able to authenticate to that CA. Some how. I guess my point is, there are lots of things that can be done, but I'm thinking you want to have a standalone SSL server that has no storage, and I think that idea is fundamentally a loser (whether or not you are using NSS). bob -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: SSL_ConfigSecureServer and on the fly cert generation
On 12/7/2011 4:01 PM, passfree wrote: Is it possible to start NSS_Init without creating dbs? I guess what I am asking if I can have all of this in memory rather than on disc. I need to create a self-contained executable. If you are sure what you are doing, then NSS_NoDB_Init can be what you need. -hb- -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
