Re: Seeking officers for Free-software-friendly CA
Nicolas Roumiantzeff wrote: > > Stephen, > > >Well I'm one person who distrusts ActiveX and with good reason. > >I know of some ActiveX controls signed by Microsoft that open up > >security holes: one allows you to run arbitrary code. > > You don't need to install ActiveX to get security holes, there is plenty > enough in IE itself ;-) Yes I know but ActiveX is a particularly good way of generating an endless stream of security holes particularly on the "anyone can do anything" (Win95, 98 etc) OSes. > > Is the ActiveX you mensioned marked as safe for scripting? > Erm yes it is in fact its only use if for scripting. I told MS about it and they appear to have silently upgraded it with newer stuff without any other mention AFAIK. I think I'd better send some info to the various security lists before giving any more info. MS have been given more than fair warning. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Seeking officers for Free-software-friendly CA
Stephen, >Well I'm one person who distrusts ActiveX and with good reason. >I know of some ActiveX controls signed by Microsoft that open up >security holes: one allows you to run arbitrary code. You don't need to install ActiveX to get security holes, there is plenty enough in IE itself ;-) Suscribe to the Microsoft Product Security Notification Service and you will get an average of one bulletin with a new security issue every other week! http://www.microsoft.com/security/services/bulletin.asp?ID=8&Parent=2 Is the ActiveX you mensioned marked as safe for scripting? Nicolas Roumiantzeff. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Seeking officers for Free-software-friendly CA
> -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of Dr. Greg Quinn > Sent: Saturday, 8 January 2000 11:04 > To: [EMAIL PROTECTED] > Subject: Re: Seeking officers for Free-software-friendly CA > > > On Fri, 7 Jan 2000, Michael Sierchio wrote: > > > jon hale wrote: > > > > > > I am curious about the expiration this patent. Does it > definitely expire? > > > > September 20, 2000. > > I recall someone a while back posting to this list that it actually > expires in October and not September as commonly thought; > perhaps someone > can clarify this. It is definitely Sep 20 2000. I remember this date because it happens to be my birthday! For your interest, information about other signficant patents in this area is given below. Note that patent protection applies for 17 years. Patent #DateInventorCovers 4 200 770 4/29/80 Hellman, Diffie, Merkle Diffie-Hellman key exchange 4 218 582 8/19/80 Hellman, Merkle Merkle-Hellman knapsacks 4 405 829 9/20/83 Rivest, Shamir, Allman RSA 4 424 414 3/3/84 Hellman, Pohlig Pohlig-Hellman 4 995 082 2/19/91 Schnorr Schnorr signatures Source: p604, "Applied Cryptograhy", Second Edition, Bruce Schneier Regards, Craig Southeren --- Equivalence - Home of FireDoor, MibMaster & PhonePatch For Open Source H.323 - see http://www.openh323.org Email: [EMAIL PROTECTED] Web: http://www.equival.com.au Fax: +61 2 4368 1395Voice: +61 2 4368 2118 - __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Seeking officers for Free-software-friendly CA
On Fri, 7 Jan 2000, Michael Sierchio wrote: > jon hale wrote: > > > > I am curious about the expiration this patent. Does it definitely expire? > > September 20, 2000. I recall someone a while back posting to this list that it actually expires in October and not September as commonly thought; perhaps someone can clarify this. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Seeking officers for Free-software-friendly CA
Stephen, > When you add a CA via an API call from ActiveX control or any other > method in IE you still can get a series of dialog boxes asking you first > if you want to download the control. AFAIK you always get a box asking > whether you want to add the root CA. > > With Netscape the method of adding a CA via a plugin works only under > Windows and could be regarded as a security hole in Netscape which could > be plugged at any time. > > With Netscape you also get lots of dialog boxes asking if you really > want to let this stuff potentially write all over your hard disk. > > On the plus side ActiveX controls and Netscape signed stuff doesn't > expire when the certificates do. If you serve up stuff with SSL the > certificate needs to be up to date. > > On the minus side many people are very wary of ActiveX controls because > they can either deliberately or accidentally open up security holes. That's exactly the point. I would not trust plugins or active code or stuff like that to install anything sensitive like certificates in my database. > Netscape signed objects are a bit more primitive: they allow expired > certificates to be used and don't do revocation checking. > > Speaking personally on balance I'd be much happier adding a CA > certificate over SSL than running a signed object. I wholeheartedly agree with you on this one! Cheers, Stefan. __ Stefan KelmPGP key: "finger [EMAIL PROTECTED]" or via key server DFN-PCA <[EMAIL PROTECTED]> Vogt-Koelln-Str. 30 http://www.pca.dfn.de/~kelm/ 22527 Hamburg (Germany) Tel: +49 40 428 83-2262 / Fax: -2241 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Seeking officers for Free-software-friendly CA
Leland, > Here is the issue - installing a CA manually provides no more trust than accepting a >self-signed CERT. > > There is also a big downside to installing a CA manually - if the user accepts a CA >by accident or misintention, that user is open [open = accepting a secure connection >without any warning] to ALL sites that reference that CA; a user accepting a >self-signed CERT is only open to the site presenting the CERT. Although I can see your point I disagree. Pre-installed certificates, as userfriendly as they might be, lead to a false sense of security. Based on the fact that the browsers are shipped with a certain number of CAs one can not make any assumptions about the trustworthiness of those CAs. In fact, I think the so-called "browser trust model" is utterly named wrong because the "trust" is based on the right amount of money only. As a non-pre-installed CA we ask our users to manually install AND verify our root and subordinate certificates. Agreed, this is not that userfriendly but by doing so many users get a feeling of what's going on. > The main advantage to a CA is that their root CERTs are pre-installed in standard >web browsers. I personally can see no advantage to a public CA that is not >pre-installed, .. only in the case where a number of sites are referencing a >potential CA (a la Intranet) would it be an advantage. > > An openCA is an extremely nice idea, .. but I think it would be better handled if >someone, perhaps, could convince the Netscape folks to include it in NN5. This is just a matter of bucks... Cheers, Stefan. PS: This isn't really openssl relevant... :-) __ Stefan KelmPGP key: "finger [EMAIL PROTECTED]" or via key server DFN-PCA <[EMAIL PROTECTED]> Vogt-Koelln-Str. 30 http://www.pca.dfn.de/~kelm/ 22527 Hamburg (Germany) Tel: +49 40 428 83-2262 / Fax: -2241 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Seeking officers for Free-software-friendly CA
jon hale wrote: > > I am curious about the expiration this patent. Does it definitely expire? September 20, 2000. > Can it be renewed? Thank GATT, no. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Seeking officers for Free-software-friendly CA
Nicolas Roumiantzeff wrote: > > Yes I think both solution are equivalent from a crypto point of view and are > both definitively better than unstaling manualy a CA cert through an > unsecured download. > > There might be to practical difference though: > > 1) I am not sure that the browser (IE and NN) UI will let the user make the > difference between installing a CA cert through a secured SSL connection and > through an unsecured connection. > > 2) And most important, with the ActiveX and Plug-in/SmatUpdate scheme, you > can automatically detect if the CA cert has already been installed or not. > There are some other practical differences between the two. When you add a CA via an API call from ActiveX control or any other method in IE you still can get a series of dialog boxes asking you first if you want to download the control. AFAIK you always get a box asking whether you want to add the root CA. With Netscape the method of adding a CA via a plugin works only under Windows and could be regarded as a security hole in Netscape which could be plugged at any time. With Netscape you also get lots of dialog boxes asking if you really want to let this stuff potentially write all over your hard disk. On the plus side ActiveX controls and Netscape signed stuff doesn't expire when the certificates do. If you serve up stuff with SSL the certificate needs to be up to date. On the minus side many people are very wary of ActiveX controls because they can either deliberately or accidentally open up security holes. Netscape signed objects are a bit more primitive: they allow expired certificates to be used and don't do revocation checking. Speaking personally on balance I'd be much happier adding a CA certificate over SSL than running a signed object. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Seeking officers for Free-software-friendly CA
Yes I think both solution are equivalent from a crypto point of view and are both definitively better than unstaling manualy a CA cert through an unsecured download. There might be to practical difference though: 1) I am not sure that the browser (IE and NN) UI will let the user make the difference between installing a CA cert through a secured SSL connection and through an unsecured connection. 2) And most important, with the ActiveX and Plug-in/SmatUpdate scheme, you can automatically detect if the CA cert has already been installed or not. Nicolas Roumiantzeff. Note: re-reading Pete Chown previous message, I think Pete and Steve are describing exactly the same scheme. -Message d'origine- De : Dr Stephen Henson <[EMAIL PROTECTED]> À : [EMAIL PROTECTED] <[EMAIL PROTECTED]> Date : vendredi 7 janvier 2000 10:59 Objet : Re: Seeking officers for Free-software-friendly CA >Nicolas Roumiantzeff wrote: >> >> >> In the solution I suggested, the CA cert is not installed manually (as when >> you connetc to an SSL server wich is not "chained" to a trusted CA of the >> browser) but installed automatically (by an ActiveX or a Netscape Plug-in >> using SmartUpdate). Did you get the point that the ActiveX and the plug-in >> would be signed? >> > >What about serving up the CA certificate via an SSL server whose >certificate is from a "standard" CA? Then you get the assurance that SSL >session hasn't been tampered with and a "trusted" CA has certified the >server itself. > >Steve. >-- >Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ >Personal Email: [EMAIL PROTECTED] >Senior crypto engineer, Celo Communications: http://www.celocom.com/ >Core developer of the OpenSSL project: http://www.openssl.org/ >Business Email: [EMAIL PROTECTED] PGP key: via homepage. >__ >OpenSSL Project http://www.openssl.org >User Support Mailing List[EMAIL PROTECTED] >Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Seeking officers for Free-software-friendly CA
Nicolas Roumiantzeff wrote: > > > In the solution I suggested, the CA cert is not installed manually (as when > you connetc to an SSL server wich is not "chained" to a trusted CA of the > browser) but installed automatically (by an ActiveX or a Netscape Plug-in > using SmartUpdate). Did you get the point that the ActiveX and the plug-in > would be signed? > What about serving up the CA certificate via an SSL server whose certificate is from a "standard" CA? Then you get the assurance that SSL session hasn't been tampered with and a "trusted" CA has certified the server itself. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Seeking officers for Free-software-friendly CA
I am curious about the expiration this patent. Does it definitely expire? Can it be renewed? Is there a web page that discusses such issues? Thanks, -jon -Original Message- From: Dr. Greg Quinn <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] <[EMAIL PROTECTED]> Date: Thursday, January 06, 2000 9:16 AM Subject: Re: Seeking officers for Free-software-friendly CA > >On Wed, 5 Jan 2000, Leland V. Lammert wrote: > >> ... > > >authority would be very helpful. I think it's going to be inevitable with >the expiration of the RSA patent in October that there'll be an explosion >of people and sites using certs, many of their own auth creation. > ... __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Seeking officers for Free-software-friendly CA
>One problem with this scenario - the user is still essentially trusting YOUR server instead of the CA. By trusting your server to install the proper CERT you are no worse (to the user) than using a self-signed CERT (which we do). Lee, I dont see your point: First, you mean "you are no BETTER than usig a self-signed CERT" right? Second, the user is not trusting the web server (nor the internet) to instal the new CA cert because the user downloads a signed ActiveX or signed plug-in. So I still think the user ONLY needs to trust: - His computer (in any case) - His browser (this includes trusting Netscape or Microsoft and the way he got it) - Verisign (or an other pre-installed CA) - the new CA Maybe you could elaborate... Nicolas Roumiantzeff. Note: in the meantime I poped a message from Pete Chown describing an analog (same?) solution on the same thread. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Seeking officers for Free-software-friendly CA
At 01:22 PM 1/4/00 , you wrote: >One solution to the fact that the new CA is not embed in IE nor Netscape is >to: > > > >Nicolas Roumiantzeff. Nicolas, One problem with this scenario - the user is still essentially trusting YOUR server instead of the CA. By trusting your server to install the proper CERT you are no worse (to the user) than using a self-signed CERT (which we do). Lee Leland V. Lammert[EMAIL PROTECTED] Chief Scientist Omnitec Corporation Network/Internet Consultants www.omnitec.net __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Seeking officers for Free-software-friendly CA
One solution to the fact that the new CA is not embed in IE nor Netscape is to: 1) get a certificate from Verisign for component developers (2 actually, one for IE and one for Netscape), 2) Develop an ActiveX for IE and a Plug-in for Netscape which installs the new CA certificate as trusted (using for example Michael Pogrebisky code), 3) Sign the ActiveX and the plug-in using the Verisign certificate, 4) Web administrators could then start addressing certificate signing request to the new CA, 5) after some verification (following a security policy to be defined) the CA would send back the signed certificate to the Web administrator (as well as the ActiveX and the plug-in), 6) The Web administrator could then set up his SSL server not forgeting to place on his website a special page containing the ActiveX for IE and the and the plug-in for Netscape, 7) Users accessing the Web site would transparenty download the the ActiveX if using IE or the plug-in if using Netscape (this will only be needed the first time the user accesses a site certified by the new CA), 8) the user is presented the certificate issued by Verisign to the new CA which he can choose to accept (if he trust the new CA) or reject it (if he dosen't trust the new CA nor Verisign and if he understand what this certificate is all about), 9) if the user accepts the certificate, the new CA is installed in the browser (in a secure way because the CA plubic key could not have been falsified by the Web administrator nor altered during the HTTP download), 10) SSL sessions can now be established to access the Web site through HTTPS. Note: this proposal deals with the SSL server certificates and could also be extended for component developers. For SSL client certificate, I don't see any benefit in using Verisign certificate instead of a self generated sertificate any way. And for e-mail certificate, a web-of-trust à-la PGP is better than a Verisign user ID from my point of view (an e-mail address can be easily spoofed I belive). Nicolas Roumiantzeff. -Message d'origine- De : Theodore Hope <[EMAIL PROTECTED]> À : [EMAIL PROTECTED] <[EMAIL PROTECTED]> Cc : [EMAIL PROTECTED] <[EMAIL PROTECTED]> Date : dimanche 26 décembre 1999 20:37 Objet : Re: Seeking officers for Free-software-friendly CA >Stefan, > >> At first, Netscape was very fast in telling us that the price for including >> up to five "trusted roots" would be $250,000. Although we still showed >> interest they suddenly stopped communicating with us. Still, this was a >> better response than the silence we received from Microsoft. It took us >> almost half a year of nagging to get an email back which was completely >> useless! :-( > >Indeed, this is the problem! __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Seeking officers for Free-software-friendly CA
Dr. Greg Quinn wrote: > A big limitation as far as I can see would be getting certs > pre-installed into web browsers. The chance of either MS or > netscape doing this would be close to none. Yes. On the other hand, there is a way of giving people a trusted copy of the root certificate without it being pre-installed. You get a certificate from some other CA, and use that on the web server that supplies the root cert. People thus know that the copy of the root cert they are receiving really comes from freecert. (Of course, they don't know how much freecert is to be trusted.) -- phone +44 (0) 20 8542 7856, fax +44 (0) 20 8543 0176, post: Skygate Technology Ltd, 8 Lombard Road, Wimbledon, London, SW19 3TZ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Seeking officers for Free-software-friendly CA
Stefan Kelm wrote: > > Ciao Massimiliano, > > > We can ask to the ICE-TEL (ICE-CAR) project for a certificate as they have > > alreay a place in the Netscape base cert directory (I think) and are the > > European Research project about security/certificates/CAs/etc... > > ICE-CAR is the successor of ICE-TEL and is "a" European Research project, > not "the" European Research project. :-) Their certificates are not > included in any of the current browsers. In fact, they are just right now > rebuilding the whole infrastructure by issuing new certificates: sorry... is one of the projects... :-D I know they are rebuilding the hierarchy's root keys... we are waiting to get one CA key to use... :-D C'you, Massimiliano Pala ([EMAIL PROTECTED]) S/MIME Cryptographic Signature
Re: Seeking officers for Free-software-friendly CA
Ciao Massimiliano, > We can ask to the ICE-TEL (ICE-CAR) project for a certificate as they have > alreay a place in the Netscape base cert directory (I think) and are the > European Research project about security/certificates/CAs/etc... ICE-CAR is the successor of ICE-TEL and is "a" European Research project, not "the" European Research project. :-) Their certificates are not included in any of the current browsers. In fact, they are just right now rebuilding the whole infrastructure by issuing new certificates: http://ice-car.darmstadt.gmd.de/ Cheers, Stefan. __ Stefan KelmPGP key: "finger [EMAIL PROTECTED]" or via key server DFN-PCA <[EMAIL PROTECTED]> Vogt-Koelln-Str. 30 http://www.pca.dfn.de/~kelm/ 22527 Hamburg (Germany) Tel: +49 40 428 83-2262 / Fax: -2241 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Seeking officers for Free-software-friendly CA
Theodore, > The big problem here is getting Micro$oft and Netscape/AOL to agree to put > this new CA's root into their browsers. Otherwise, it's not going to be Well, neither Microsoft nor Netscape will "agree" unless you pay A LOT of money. We've been in touch with both companies for the past couple of months in order to negotiate whether our DFN-PCA certificates (thanks to Lutz for mentioning us on this list... :-)) could be shipped with future version of the two browsers. At first, Netscape was very fast in telling us that the price for including up to five "trusted roots" would be $250,000. Although we still showed interest they suddenly stopped communicating with us. Still, this was a better response than the silence we received from Microsoft. It took us almost half a year of nagging to get an email back which was completely useless! :-( Cheers, Stefan. __ Stefan KelmPGP key: "finger [EMAIL PROTECTED]" or via key server DFN-PCA <[EMAIL PROTECTED]> Vogt-Koelln-Str. 30 http://www.pca.dfn.de/~kelm/ 22527 Hamburg (Germany) Tel: +49 40 428 83-2262 / Fax: -2241 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Seeking officers for Free-software-friendly CA
Lutz Jaenicke wrote: > On Wed, Dec 22, 1999 at 10:40:56AM -0800, Dr. Greg Quinn wrote: > > I think a free CA would be great. I really wish there was an acadmic > > institution initiative. A big limitation as far as I can > > see would be getting certs pre-installed into web browsers. > > The chance of either MS or netscape doing this would be close to none. > > If my experience is anything to go by, asking the average user to import a > > CA can be problematic. > > Well, I don't know about other countries, but at least in germany we > do have a initiative like this (sorry, pages seem to be available only > in german): > http://www.cert.dfn.de/dfnpca/ > The DFN is the provider of Internet connectivity for german acadamic > institutions. similar to the german DFN initiative, in the Netherlands SURFnet, as the Dutch academic Internet Service Provider, has built the (PGP/X.509)PKI for dutch academic institutions: http://pki.surfnet.nl regards, janus http://www.sec.nl/persons/janus S/MIME Cryptographic Signature
TRUST in Free CAs [was: Seeking officers for Free-software-friendly CA]
Well..the discussion so far shows that 1. there ARE technical solutions 2. there are NO practical solutions regarding the TRUST which you can put into such a CA (being registrated by any authority isnt enough, as i wont EVER trust an authority which gives certificates to ANYBODY) Obviously there is an open solution for a similar problem, namely PGPs "Web of Trust" (open and free only due to GNUs "Privacy Guard" (GPG)...reminds me of: Did I mention that Germanys Secretary of Trade donated 150.000 Euro for the development of user friendly integrations of GNUs GPG into Email and E-commerce applications?). BUT: The "Web of Trust" wont work in an SSL environment. PGP/GPG works just great in a personalized environment, where you want to sign mails or documents or just encrypt them for business partners or friends. But there must be a connection to the partners in question, be it direct or indirect. All the PGP/GPG keyservers and databases around the world ONLY serve the purpose to let you check the INTEGRITY of keys and get a very sketchy impression of that the name you used as addressee is somehow connected to the key you used to sign...but in NO WAY that this key is connected to a certain real person. On the other hand: SSL/OpenSSLs sole application which makes real sense is in setting up secure connections AUTOMATICALLY, with AUTOMATIC TRUST. This has been the difference between PEM (and afterwards S/MIME and SSL) and PGP from the very beginning. One has trust built in and the other needs you to put trust explicitly into it. Regarding the number of different sites I e.g. daily get in contact with I can clearly say that I wont ever be able to put trust into all the sites certificates myself, that I absolutely need an automatical solution which I do trust. Open and free software is great! Open and free software for CAs is at least as great! But open and free CAs will never be even NEAR greatness! Besides: I really would love to help building such a CA (I do have some experience with Europes ITSEC/Common Criteria evaluations and I already consulted a company which thought about opening a CA according to Germanys Signature Law.) Believe me though, it wont work without certain minimal security measures and that means CONTROL (i.e. revision) and MONEY (well..perhaps not that much money as some think...). Peaceful Regards Michael -- / 3C Dr.Klingler, Dr.Portz GbR / Kaiserstr. 100 / 52134 Herzogenrath / Germany / Tel: ++49 2407 96056 / Fax: ++49 2407 96292 / Email: mailto:[EMAIL PROTECTED] / WWW: http://www.3CKP.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Seeking officers for Free-software-friendly CA
Perhaps because the hostname in the cert is for secure.openca.org, even though its a CNAME for the same host. Try https to secure.openca.org and see if you have better results. Brian "James B. Huber" wrote: > > Thomas Reinke writes: > > Sorry for taking this off-thread - is anyone else able > > to actually connect to http://www.openca.org ? We've > > shown it being down (IP not pingable) for the last > > couple of attempts we've made at reaching it... > > > Yes, > But I've never been able to do https with it. > > Jim > -- > == > James B. Huber [EMAIL PROTECTED] > Genesis Controls, Inc.(V/O) (407) 671-0820 > == > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Seeking officers for Free-software-friendly CA
"James B. Huber" wrote: > Yes, > But I've never been able to do https with it. Please, try now. C'you, Massimiliano Pala ([EMAIL PROTECTED]) S/MIME Cryptographic Signature
Re: Seeking officers for Free-software-friendly CA
Lutz Jaenicke wrote: > So much for now, I am not enthusiastic that just because we have OpenSSL > and/or OpenCA we will easily get a real CA for nothing. > (I personally can be optimistic, because there is the DFN-PCA described above, > but I don't know which other institutions offer such service.) I think you got the point (not only for free CAs): real problems, by now, are the Policies definitions and organizational realted rather than crypto/software related. C'you, Massimiliano Pala ([EMAIL PROTECTED]) S/MIME Cryptographic Signature
Re: Seeking officers for Free-software-friendly CA
"Dr. Greg Quinn" wrote: > > I think a free CA would be great. I really wish there was an acadmic > institution initiative. A big limitation as far as I can > see would be getting certs pre-installed into web browsers. > The chance of either MS or netscape doing this would be close to none. > If my experience is anything to go by, asking the average user to import a > CA can be problematic. We can ask to the ICE-TEL (ICE-CAR) project for a certificate as they have alreay a place in the Netscape base cert directory (I think) and are the European Research project about security/certificates/CAs/etc... Another way of avoiding the problem is: before applying for a request, the user is asked to import the certificate just before submitting data (required). C'you, Massimiliano Pala ([EMAIL PROTECTED]) S/MIME Cryptographic Signature
Re: Seeking officers for Free-software-friendly CA
At 12:40 PM 12/22/99 , you wrote: >I think a free CA would be great. I really wish there was an acadmic >institution initiative. A big limitation as far as I can >see would be getting certs pre-installed into web browsers. >The chance of either MS or netscape doing this would be close to none. >If my experience is anything to go by, asking the average user to import a >CA can be problematic. It IS going to be a pain - Thawte was the only agency willing to issue a CERT for user-compiled code. The only solution that I see is for vendors to self-certify. What's the difference between self-certification and a Versign cert anyway?? In the first case, the user gets the 'do you trust this site' messages (four in NN), but once they accept the cert no problem. In the second case, the user must trust the CA (Versign only in the current marketplace), of which they are not aware in most cases. I created our own cert two years ago, and just renewed it (recreated for another 365 days) for the second time. Nobody has complained to date! Lee Leland V. Lammert[EMAIL PROTECTED] Chief Scientist Omnitec Corporation Network/Internet Consultants www.omnitec.net __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Seeking officers for Free-software-friendly CA
Thomas Reinke writes: > Sorry for taking this off-thread - is anyone else able > to actually connect to http://www.openca.org ? We've > shown it being down (IP not pingable) for the last > couple of attempts we've made at reaching it... > Yes, But I've never been able to do https with it. Jim -- == James B. Huber [EMAIL PROTECTED] Genesis Controls, Inc.(V/O) (407) 671-0820 == __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Seeking officers for Free-software-friendly CA
On Wed, Dec 22, 1999 at 10:40:56AM -0800, Dr. Greg Quinn wrote: > I think a free CA would be great. I really wish there was an acadmic > institution initiative. A big limitation as far as I can > see would be getting certs pre-installed into web browsers. > The chance of either MS or netscape doing this would be close to none. > If my experience is anything to go by, asking the average user to import a > CA can be problematic. Well, I don't know about other countries, but at least in germany we do have a initiative like this (sorry, pages seem to be available only in german): http://www.cert.dfn.de/dfnpca/ The DFN is the provider of Internet connectivity for german acadamic institutions. I am however afraid only few people know about this project :-) They also seem to care about what they certificate: you can get a server certificate directly from them, but then you have to meet them personally. They also certify computer centers of Universities, which than can issue certificates themselve. My university is a fresh member in the list, so probably I will get a certificate there in the future. With regard to the users... There seem to be different types. - I do provide the address list for my sports group, but I only provide it with SSL enabled, so that neither the password nor the data itself can be sniffed or caught at a proxy. (Some members work in large companies with a tight network setup and netadmins that would like to know more than they should :-) I have change my certificate over time while learning how to be my own CA. * Nobody _ever_ complained about that. Even more, I asked them whether they got any message on the screen. - Which message? - About certificates and so on. - Well, I don't remember. Maybe I clicked away some boxes. * The people are not technical stuff, we have lawyers, economists, secretaries... - I have seen this more than once; most people don't care at all and it is nearly impossible to even explain them the difference between 40bit and 128bit. They don't care, even for banking. Having this said, I don't know the terms of trade with M$ and/or Netscape. Having the root CA of your company in the browsers is the base for your business as a CA, so I would think that the CAs do pay to get included. -> Problem for free CA (not of technical nature) To achieve at least a bit of sense in using CAs, a minimum standard for "trust" must be defined to be included in the standard list. If anybody can be a CA (including my home-grown AET-CA I use myself), the list became useless. So for a CA you do need an infrastructure for checking real identities. Defining a policy is not enough, you must also be able to realize it. So it will cost some money to maintain your infrastructure. -> Problem for free CA (not of technical nature) So much for now, I am not enthusiastic that just because we have OpenSSL and/or OpenCA we will easily get a real CA for nothing. (I personally can be optimistic, because there is the DFN-PCA described above, but I don't know which other institutions offer such service.) Best regards, Lutz PS. Yes, I read Schneier's paper about CAs on Counterpane :-) -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Seeking officers for Free-software-friendly CA
> > With the absorbtion of Thawte into Verisign, we're concerned that the only > > remotely free-software-friendly commercial CA will change its policies. The > > lack of competition bothers us too. So, let's do something about it. A good > > CA could do more for free software than we've seen so far. We'd like to hear > > from candidates who could assume the technical leadership of a > > free-software-friendly CA. A deep technical background in applied cryptography > > would be required. Please write to me at <[EMAIL PROTECTED]> . The big problem here is getting Micro$oft and Netscape/AOL to agree to put this new CA's root into their browsers. Otherwise, it's not going to be very useful in practice. Or are you thinking about other apps? __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Seeking officers for Free-software-friendly CA
I think a free CA would be great. I really wish there was an acadmic institution initiative. A big limitation as far as I can see would be getting certs pre-installed into web browsers. The chance of either MS or netscape doing this would be close to none. If my experience is anything to go by, asking the average user to import a CA can be problematic. On Wed, 22 Dec 1999, Massimiliano Pala wrote: > Bruce Perens wrote: > > > > Hi OpenSSL users, > > > > With the absorbtion of Thawte into Verisign, we're concerned that the only > > remotely free-software-friendly commercial CA will change its policies. The > > lack of competition bothers us too. So, let's do something about it. A good > > CA could do more for free software than we've seen so far. We'd like to hear > > from candidates who could assume the technical leadership of a > > free-software-friendly CA. A deep technical background in applied cryptography > > would be required. Please write to me at <[EMAIL PROTECTED]> . > > > > Thanks > > > > Bruce Perens > > Linux Capital Group > > __ > > OpenSSL Project http://www.openssl.org > > User Support Mailing List[EMAIL PROTECTED] > > Automated List Manager [EMAIL PROTECTED] > > I think that is we receive support, we are going to setup a free certification > system using the OpenCA software. The problem is the liability definition and > the legal aspects (not technical). > > If you do not know anything about our project you can start by surfing to > > http://www.openca.org > > we also need contribution from technical and/or experienced people!!! :-D > > C'you, > > Massimiliano Pala ([EMAIL PROTECTED]) __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Seeking officers for Free-software-friendly CA
Thomas Reinke wrote: > > Sorry for taking this off-thread - is anyone else able > to actually connect to http://www.openca.org ? We've > shown it being down (IP not pingable) for the last > couple of attempts we've made at reaching it... It seems we lost conectivity with the outworld... we are currently working on it (but we have to wait for the network responsables... *GRIN*). Sorry for the inconvenience. Hope to be on soon. If you want, anyway, you can download the software from any of the mirrors: ftp://sunsite.cnlab-switch.ch C'you, Massimiliano Pala ([EMAIL PROTECTED]) S/MIME Cryptographic Signature
Re: Seeking officers for Free-software-friendly CA
Sorry for taking this off-thread - is anyone else able to actually connect to http://www.openca.org ? We've shown it being down (IP not pingable) for the last couple of attempts we've made at reaching it... > > I think that is we receive support, we are going to setup a free certification > system using the OpenCA software. The problem is the liability definition and > the legal aspects (not technical). > > If you do not know anything about our project you can start by surfing to > > http://www.openca.org > > we also need contribution from technical and/or experienced people!!! :-D > > C'you, > > Massimiliano Pala ([EMAIL PROTECTED]) -- Thomas ReinkeTel: (905) 331-2260 Director of Technology Fax: (905) 331-2504 E-Soft Inc. http://www.e-softinc.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]