Robert W Weaver is out of the office.
I will be out of the office starting 06/24/2014 and will not return until 07/01/2014. I will have access to my cellphone and will be intermittently checking email, but am generally distracted. Please contact Leslie Lesch for OMS issues.
Re: How to check if certificate is a EV-SSL certificate?
> I'm building an iOS application and trying to check if a certificate, that a https-connection uses, is a EV certificate. Why? Wikipedia notes "The primary way to identify an EV certificate is by referencing the Certificate Policies extension field. Each issuer uses a different object identifier (OID) in this field to identify their EV certificates, and each OID is documented in the issuer's Certification Practice Statement. As with root certificate authorities in general, browsers may not recognize all issuers. " It would seem to be a table lookup issue. -- Dr. Robert "Woody" GBS Cybersecurity & Weaver Privacy IT Security Architect Cell: 301-524-8138 -- It has been said that man is a rational animal. All my life I have been searching for evidence which could support this. -- Bertrand Russell Steve Behrendt To Sent by: "openssl-users@openssl.org" owner-openssl-use r...@openssl.org cc Subject 05/12/2014 10:59 How to check if certificate is a AMEV-SSL certificate? Please respond to openssl-users@ope nssl.org Hi everyone, I'm building an iOS application and trying to check if a certificate, that a https-connection uses, is a EV certificate. Does the OpenSSL-libary have a method that gives me that information, if a given certificate is a EV certificate? I found the method X509_get_ext_d2i(certificateX509, NID_certificate_policies, NULL, NULL) which returns some data depending of the NID provided. Since it is a void-pointer, I don't know, which data type it returns. Thanks heaps! Steve Steve Behrendt steve.behre...@netlight.com Netlight Consulting GmbH www.netlight.de Residenzstr. 7, 80333 München Mobile +49 160 4729799 Amtsgericht München, HRB 189944 Umsatzsteuer-Identifikation: DE276206820 Geschäftsführer: Felix Sprick Please consider the environment before printing this email. The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer.
Re: Verisign Problem with smtp tls
Bobber wrote on 12/27/2013 02:47:47 PM: > I don't see anywhere that it says expired other than this utility. How > can I verify that it is really expired? In case you don't trust your openssl install, here is an easy approach using windows: 1. Select everything between -BEGIN CERTIFICATE- and -END CERTIFICATE- 2. Paste into a "notepad". Delete the "> " at the beginning of each line. 3. Save the file, say as "test.txt". 4. From the file manager, change the extension to "test.cer" -- the cer means "certificate". 5. Double click on the file. It will bring up a lot of information about the certificate. -- Dr. Robert "Woody" GBS Cybersecurity & Weaver Privacy IT Security Architect Cell: 301-524-8138 -- The naked truth of it is, I have no shirt. -- William Shakespeare, "Love's Labour's Lost" <>
Re: how to extract the private key out of the KEY.PEM
Kenneth Goldman/Watson/IBM@IBMUS wrote on 11/20/2013 10:37:04 AM: > > Encrypt with a private key for integrity purposes: this shows that the > > data that was encrypted corresponds to the owner of the key. > > Encrypt with a public key for confidentiality purposes: this shows that > > the data can only be received by the owner of the key. A koan of sorts that I've always liked concerns a policeman counseling a pedestrian on crossing a street. It does not matter if there is no traffic if the light is not green. It does not matter if the light is green if there is traffic. That is, you can't cross just because things are clear -- I'll still ticket you if you step off the curb on a red light. On the other hand, if you step off the curb into oncoming traffic, the green light won't prevent broken bones. > > I think in this case the trick would be to encrypt a cryptographically > > sound hash of the source code. > > While you're mathematically correct, common English usage would call the > private key operation on a hash to be a signing operation, not encryption. Well, I think the common technical usage is that this is a signing operation on the document, performed by encryption of the hash. But the "Encrypt with..." couplet is far more poetic. --woody Disclaimer: my phd is indeed in mathematics, although in combinatorial graph theory, and has no direct relationship to cryptography or amusing applications of the law of excluded middle. -- Dr. Robert "Woody" GBS Cybersecurity & Weaver Privacy IT Security Architect Cell: 301-524-8138 -- Whom computers would destroy, they must first drive mad.
RE: how to extract the private key out of the KEY.PEM
> "Dave Thompson" wrote on 11/18/2013 05:07:14 PM: > For RSA the private key is at least (d,n), and OpenSSL always generates > the “CRT” form which has half a dozen other elements to allow more Oh, well if you are going to be *helpful* ... >> So our question is how do we extract the private key as see http://www.openssl.org/docs/apps/pkey.html try $ openssl pkey -in -text -- Dr. Robert "Woody" GBS Cybersecurity & Weaver Privacy IT Security Architect Cell: 301-524-8138 -- If you are going to walk on thin ice, you may as well dance.
Re: how to extract the private key out of the KEY.PEM
owner-openssl-us...@openssl.org (Kenneth Goldman/Watson/IBM@IBMUS) wrote on 11/18/2013 10:03:29 AM: > Do not encrypt with a private key. Encrypt with the public key and > decrypt with the private key. Encrypt with a private key for integrity purposes: this shows that the data that was encrypted corresponds to the owner of the key. Encrypt with a public key for confidentiality purposes: this shows that the data can only be received by the owner of the key. I think in this case the trick would be to encrypt a cryptographically sound hash of the source code. --woody -- Dr. Robert "Woody" GBS Cybersecurity & Weaver Privacy IT Security Architect Cell: 301-524-8138 -- If you are going to walk on thin ice, you may as well dance.
Re: RHEL rpm and FIPS validation
Steve Marquess wrote on 11/07/2013 09:02:05 AM: > > Is there a basis for asserting FIPS 140 validation with > > openssl-0.9.8e-26.el5_9.1|(none), or must the original RPM be used? > > You'll need to ask Red Hat; it's their proprietary validation. From a > quick glance it appears to be a knock-off of the open source based > OpenSSL FIPS Object module you're probably confusing it with. Thanks for the rapid and insightful response! --woody -- Dr. Robert "Woody" GBS Cybersecurity & Weaver Privacy IT Security Architect Cell: 301-524-8138 -- Shick's Law: There is no problem a good miracle can't solve.
RHEL rpm and FIPS validation
Greetings, Apologies if this has been covered before, but I couldn't find it in a search. I'm trying to deploy FIPS 140 validated crypto to a RHEL 5 box as part of a FISMA covered project. I think the relevant policy is http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1320.pdf which states "The version of the RPM containing the validated module is version 0.9.8e-22.el5_8.3." The rpm has moved on, and the version the support person wants to use is openssl-0.9.8e-26.el5_9.1|(none) . Is there a basis for asserting FIPS 140 validation with openssl-0.9.8e-26.el5_9.1|(none), or must the original RPM be used? advTHANKSance, --woody -- Dr. Robert "Woody" GBS Cybersecurity & Weaver Privacy IT Security Architect Cell: 301-524-8138 -- Shick's Law: There is no problem a good miracle can't solve.
