Re: Registration
On Fri February 25 2011, John R Pierce wrote: On 02/25/11 4:28 PM, David Schwartz wrote: On 2/25/2011 11:59 AM, Michael S. Zick wrote: On Fri February 25 2011, Ricardo Custodio wrote: Veja www.icp.edu.br Interesting, I get a server certificate fails authentication from the above address. You haven't chosen to trust the CA that issued it. Keep in mind that when the person offering advice can't get it right. . . . How is your decision not to trust the CA he chose to use a mistake on his part? See below. the root certificate in question is not in either Google Chrome's list of CAs, or in Mozilla Firefox's list. AC-SSL da ICPEDU is the Root CA, issuing a certificate to www.icp.edu.br The Root Certificate appears to be one locally generated... CN=AC-SSL da ICPEDU S=Distrito Federal C=BR E=go...@icp.edu.br O=ICPEDU O=RNP L=Brasilia with an issuer statement... Os certificados da ICPEDU sao para uso exclusivo por instituicoes brasileiras de ensino e pesquisa, e nao tem eficacia probante. which iGoogle roughly translates as... Certificates of ICPEDU are for exclusive use by institutions of higher education and research, and has no probative efficacy. Nice review John, much better than I did from first impressions. So basically, this is pretty close to self-signed. Evidently designed to work within a closed (or small, pre-defined) group and working exactly as designed and intended. Generation of a negative user impression when used outside of that group, which also may or may not be as intended; The server is redirecting scheme http to scheme https; When encountering a partial URI without a scheme, many browsers assume scheme http; So the partial URI post (often) works like: partial URI - http - server redirect to https - negative impression Which might have been the poster's intent or a simple oversight in assuming the server was configured to serve the general public as http. In my post it is the creation of a negative impression which might be a mistake not anything to do with the handling of secure communications. My bad for not being clearer. Mike __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Registration
Maicon, do que precisa exatamente? Criar uma AC para gerar certificados para serem usados na aplicação? Em 25 de fevereiro de 2011 12:32, Usuário do Sistema maico...@ig.com.brescreveu: Hello, I'm Maicon from Brazil. I'm deployment a project with freeradiusd EAP-TLS. so I need deploy a CA to issued certification for usuers. I need help to deploy that with openssl. thank
Re: Registration
Veja www.icp.edu.br rfc 2011/2/25 Emerson Saito emerson.sa...@gmail.com Maicon, do que precisa exatamente? Criar uma AC para gerar certificados para serem usados na aplicação? Em 25 de fevereiro de 2011 12:32, Usuário do Sistema maico...@ig.com.brescreveu: Hello, I'm Maicon from Brazil. I'm deployment a project with freeradiusd EAP-TLS. so I need deploy a CA to issued certification for usuers. I need help to deploy that with openssl. thank -- *** Prof. Ricardo Felipe Custódio Supervisor do LabSEC/UFSC labsec.ufsc.br **
Re: Registration
On Fri February 25 2011, Ricardo Custodio wrote: Veja www.icp.edu.br Interesting, I get a server certificate fails authentication from the above address. Keep in mind that when the person offering advice can't get it right. . . . Mike rfc 2011/2/25 Emerson Saito emerson.sa...@gmail.com Maicon, do que precisa exatamente? Criar uma AC para gerar certificados para serem usados na aplicação? Em 25 de fevereiro de 2011 12:32, Usuário do Sistema maico...@ig.com.brescreveu: Hello, I'm Maicon from Brazil. I'm deployment a project with freeradiusd EAP-TLS. so I need deploy a CA to issued certification for usuers. I need help to deploy that with openssl. thank __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Registration
On 2/25/2011 11:59 AM, Michael S. Zick wrote: On Fri February 25 2011, Ricardo Custodio wrote: Veja www.icp.edu.br Interesting, I get a server certificate fails authentication from the above address. You haven't chosen to trust the CA that issued it. Keep in mind that when the person offering advice can't get it right. . . . How is your decision not to trust the CA he chose to use a mistake on his part? DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Registration
On 02/25/11 4:28 PM, David Schwartz wrote: On 2/25/2011 11:59 AM, Michael S. Zick wrote: On Fri February 25 2011, Ricardo Custodio wrote: Veja www.icp.edu.br Interesting, I get a server certificate fails authentication from the above address. You haven't chosen to trust the CA that issued it. Keep in mind that when the person offering advice can't get it right. . . . How is your decision not to trust the CA he chose to use a mistake on his part? the root certificate in question is not in either Google Chrome's list of CAs, or in Mozilla Firefox's list. AC-SSL da ICPEDU is the Root CA, issuing a certificate to www.icp.edu.br The Root Certificate appears to be one locally generated... CN=AC-SSL da ICPEDU S=Distrito Federal C=BR E=go...@icp.edu.br O=ICPEDU O=RNP L=Brasilia with an issuer statement... Os certificados da ICPEDU sao para uso exclusivo por instituicoes brasileiras de ensino e pesquisa, e nao tem eficacia probante. which iGoogle roughly translates as... Certificates of ICPEDU are for exclusive use by institutions of higher education and research, and has no probative efficacy. So basically, this is pretty close to self-signed. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Registration
On 2/25/2011 5:03 PM, John R Pierce wrote: the root certificate in question is not in either Google Chrome's list of CAs, or in Mozilla Firefox's list. AC-SSL da ICPEDU is the Root CA, issuing a certificate to www.icp.edu.br The Root Certificate appears to be one locally generated... CN=AC-SSL da ICPEDU S=Distrito Federal C=BR E=go...@icp.edu.br O=ICPEDU O=RNP L=Brasilia with an issuer statement... Os certificados da ICPEDU sao para uso exclusivo por instituicoes brasileiras de ensino e pesquisa, e nao tem eficacia probante. which iGoogle roughly translates as... Certificates of ICPEDU are for exclusive use by institutions of higher education and research, and has no probative efficacy. So basically, this is pretty close to self-signed. So it's working as designed. He's decided that encryption that can't be broken passively is better than nothing. It's not clear to me that this is a mistake on his part. Perhaps if he didn't realize the implications of his decision, it might be an error. But not knowing his requirements, I don't see how we can say that. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org