[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [saml-dev] Welcome to Crazy Irving's 24 Hour Certificate Depot!
At prices like these, you'll want one for the house and the car! And, even better, the first n customers receive a free set of Ginsu private keys! (I really need to get more sleep when I'm on the road...) First, some background. Owners of major domain names (like, say, ibm.com or sun.com) can get really snippy if they think you're issuing certificates that could be used to set up fake web servers and trick people into thinking they're official company property. This is something I hadn't really thought of before this week, or I'd have suggested we take a different approach to host naming. For that reason, I've taken a few steps. First, the CA cert says "OASIS SAML Demo" all over, and doesn't chain to a real trusted root. Second, I've set the certificate lifetime on the issued certs to 60 days, so even if they escape they won't last too much past the demo. Third, I'm overriding the OU and O fields in your certificate requests and replacing them with "O=OASIS SAML Demo". I'm comfortable with this as being clear enough that we can't be blamed if someone clicks past one of these certs. The next thing I did was override the extensions in your requests. According to the Baltimore PKI expert who helped me get my CA set up, there's no harm (in our environment) with having more extensions than you really need in your certs. So, I'm issuing everybody's certs with the works - Netscape SSL client and server, everybody else's SSL client and server, and signing (for S/MIME). So, with that, I've attached the first batch. I've done everybody both as a binary (DER) format .p7b file (PKCS#7), and as a text PEM format x509 certificate - it's the same cert, just in different output formats. There were two vendors I had trouble with. The Crosslogix requests were for DSA keys; I'm only set up to do RSA right now. RSA is the safe choice for SSLv3. I'm getting error messages that I don't understand when I try to process the Sun request. I've attached an OpenSSL dump of the request, in case anyone else can spot something strange, but to my eye the request seems fine. I tried reformatting it a few different ways, but no luck. I'll pass it on to my expert, but it would help to know how you generated it. In the mean time, can you import a PKCS#12 bundle with server-generated keys? I can build a keypair from scratch, certify it, send you the .p12, and phone you with the passphrase to unlock the private key. The attached .zip file includes all the requests I have so far, and the certificates I was able to produce. The successful contestants are, in no particular order, Novell Oblix Baltimore Sigaba IBM Entegrity ePeople - irving - ----------------------------------------------------------------------------------------------------------------- The information contained in this message is confidential and is intended for the addressee(s) only. If you have received this message in error or there are any problems please notify the originator immediately. The unauthorised use, disclosure, copying or alteration of this message is strictly forbidden. Baltimore Technologies plc will not be liable for direct, special, indirect or consequential damages arising from alteration of the contents of this message by a third party or as a result of any virus being passed on. This footnote confirms that this email message has been swept for Content Security threats, including computer viruses. http://www.baltimore.com This footnote confirms that this email message has been swept by Baltimore MIMEsweeper for Content Security threats, including computer viruses.
Attachment:
SAML Demo Certificates.zip
Description: Binary data
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC