On Fri, Nov 2, 2012 at 5:46 PM, Hal Finney <[email protected]> wrote: > Okay, I've got privacyca.com working with that EK cert you sent. There > were a couple of problems with that cert relative to the spec. The > certicatePolicies extension is supposed to be marked critical > (important), and is supposed to contain a string, TCPA Trusted > Platform Module Endorsement. This is so it is marked as an Endorsement > Crential in case they want to use the same key to issue other types of > certificates, which would be stupid. So I've disabled that check for > now. > > Also, in the SubjectDirectoryAttributes extension, there should be a > field, supportedAlgorithms. They have it, but with the wrong OID. It's > supposed to be 2.5.4.52, but they have 2.5.5.52. I've allowed the typo > as an alternate. > > With these changes, Privacy CA returns a response. I can't do a full > end-to-end test of course. Try it and let me know how it goes. > > Hal > > > > On Sat, Oct 13, 2012 at 11:56 PM, Paul Francis <[email protected]> wrote: >> >> Hi Hal, >> >> Thanks much for getting back. Attached is the cert produced with your code >> on my chip (ekcert), as well as a zipped file of certs provided by STM. The >> zipped file contains the STM root, some intermediate certs, as well as >> examples of EK certs. These examples should serve as well as mine. >> >> BTW, let me know if there is any way in which my institute can help take >> over your server. I'm a director at the Max Planck Institute for Software >> Systems (mpi-sws), and can arrange to support this on a permanent basis. >> Hosting the server itself would be trivial. Putting together the expertise >> to provide help to people as you do is less trivial, but I don't think we'd >> have a problem with that. >> >> PF >> >> >> >> On 10/13/2012 11:21 PM, Hal Finney wrote: >>> >>> Thanks for the report. I actually added the STM root cert a few weeks >>> ago, but I didn't have an EK cert to test it with. Evidentally there >>> is some format difference between the two flavors of certs. Would you >>> mind sending me your EK cert? I can see what the software doesn't like >>> about it. >>> >>> As far as other services, the Trusted Java project contains privacyca >>> functionality. But I don't know if anyone is running a public server. >>> I am actually looking for someone to take over my own server, due to >>> illness. I've been talking to Jon McCune about it, but maybe a >>> commercial interest would be an alternative. >>> >>> Hal >>> >>> >>> On Thu, Oct 11, 2012 at 5:02 AM, Paul Francis <[email protected]> wrote: >>>> >>>> >>>> Hi all, >>>> >>>> I'm doing some development on a project that requires an AIK cert. It so >>>> happens that the machine I'm working on has a TPM from ST. This TPM >>>> contains an >>>> EKCert that ST certifies with GlobalSign as the root. (You can download >>>> the >>>> certs here if you are interested:) >>>> >>>> http://www.st.com/stonline/stappl/resourceSelector/app? >>>> page=resourceSelector&doctype=CONFIGURATION_UTILITY&SubClassID=1522 >>>> >>>> Because privacyca.com only claims to work with Infineon, I didn't really >>>> expect >>>> to be able to get an AIK cert, but on a lark I tried, and sure enough: >>>> >>>> ./identity testprivacyca outkeyblobfile outcertfile >>>> Retrieving PCA certificate... >>>> Generating identity key... >>>> Sending request to PrivacyCA.com... >>>> Processing response... >>>> Bad response from PrivacyCA.com: Operation failed: Error in endorsement >>>> cert >>>> provided in cert-request >>>> /level1© >>>> make: *** [remote] Error 1 >>>> >>>> Now I'm more than happy to buy a box with the Infineon TPM, and probably >>>> would >>>> anyway just for the experience, but I'm wondering if there is any chance >>>> that >>>> Hal or someone would be willing to add ST certs to privacyca.com. >>>> >>>> More generally, are there any other CAs out there that act as privacy >>>> CAs? Our >>>> goal is a commercial product based on this, and so in the long run >>>> privacyca.com >>>> probably won't serve anyway (unless there really are no other choices). >>>> >>>> Thanks much! >>>> >>>> PF (Paul Francis) >>>> >>>> >>>> >>>> >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> Don't let slow site performance ruin your business. Deploy New Relic APM >>>> Deploy New Relic app performance management and know exactly >>>> what is happening inside your Ruby, Python, PHP, Java, and .NET app >>>> Try New Relic at no cost today and get our sweet Data Nerd shirt too! >>>> http://p.sf.net/sfu/newrelic-dev2dev >>>> _______________________________________________ >>>> TrouSerS-users mailing list >>>> [email protected] >>>> https://lists.sourceforge.net/lists/listinfo/trousers-users
------------------------------------------------------------------------------ LogMeIn Central: Instant, anywhere, Remote PC access and management. Stay in control, update software, and manage PCs from one command center Diagnose problems and improve visibility into emerging IT issues Automate, monitor and manage. Do more in less time with Central http://p.sf.net/sfu/logmein12331_d2d _______________________________________________ TrouSerS-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/trousers-users
