OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: Re: [saml-dev] Welcome to Crazy Irving's 24 Hour Certificate Depot!


Irving,

Awesome. I'm still trying to catch up on this list, but thanks for the hard work getting this stuff working.

Don;

(I'm working on 14 hours sleep since Monday morning myself :-)

Irving Reid wrote:

> At prices like these, you'll want one for the house and the car! And, even
> better, the first n customers receive a free set of Ginsu private keys!
>
> (I really need to get more sleep when I'm on the road...)
>
> First, some background. Owners of major domain names (like, say, ibm.com or
> sun.com) can get really snippy if they think you're issuing certificates
> that could be used to set up fake web servers and trick people into thinking
> they're official company property. This is something I hadn't really thought
> of before this week, or I'd have suggested we take a different approach to
> host naming.
>
> For that reason, I've taken a few steps. First, the CA cert says "OASIS SAML
> Demo" all over, and doesn't chain to a real trusted root. Second, I've set
> the certificate lifetime on the issued certs to 60 days, so even if they
> escape they won't last too much past the demo. Third, I'm overriding the OU
> and O fields in your certificate requests and replacing them with "O=OASIS
> SAML Demo". I'm comfortable with this as being clear enough that we can't be
> blamed if someone clicks past one of these certs.
>
> The next thing I did was override the extensions in your requests. According
> to the Baltimore PKI expert who helped me get my CA set up, there's no harm
> (in our environment) with having more extensions than you really need in
> your certs. So, I'm issuing everybody's certs with the works - Netscape SSL
> client and server, everybody else's SSL client and server, and signing (for
> S/MIME).
>
> So, with that, I've attached the first batch. I've done everybody both as a
> binary (DER) format .p7b file (PKCS#7), and as a text PEM format x509
> certificate - it's the same cert, just in different output formats.
>
> There were two vendors I had trouble with.
>
> The Crosslogix requests were for DSA keys; I'm only set up to do RSA right
> now. RSA is the safe choice for SSLv3.
>
> I'm getting error messages that I don't understand when I try to process the
> Sun request. I've attached an OpenSSL dump of the request, in case anyone
> else can spot something strange, but to my eye the request seems fine. I
> tried reformatting it a few different ways, but no luck. I'll pass it on to
> my expert, but it would help to know how you generated it. In the mean time,
> can you import a PKCS#12 bundle with server-generated keys? I can build a
> keypair from scratch, certify it, send you the .p12, and phone you with the
> passphrase to unlock the private key.
>
> The attached .zip file includes all the requests I have so far, and the
> certificates I was able to produce. The successful contestants are, in no
> particular order,
>
> Novell
> Oblix
> Baltimore
> Sigaba
> IBM
> Entegrity
> ePeople
>
>  - irving -
>
>
> -----------------------------------------------------------------------------------------------------------------
> The information contained in this message is confidential and is intended
> for the addressee(s) only.  If you have received this message in error or
> there are any problems please notify the originator immediately.  The
> unauthorised use, disclosure, copying or alteration of this message is
> strictly forbidden. Baltimore Technologies plc will not be liable for
> direct, special, indirect or consequential damages arising from alteration of the
> contents of this message by a third party or as a result of any virus being
> passed on.
>
> This footnote confirms that this email message has been swept for Content Security threats, including
> computer viruses.
>
> http://www.baltimore.com
>
>
> This footnote confirms that this email message has been swept by
> Baltimore MIMEsweeper for Content Security threats, including
> computer viruses.
>
>   ------------------------------------------------------------
>                                  Name: SAML Demo Certificates.zip
>    SAML Demo Certificates.zip    Type: Zip Compressed Data (application/x-zip-compressed)
>                              Encoding: BASE64

Attachment: don.bowen.vcf
Description: Card for Don Bowen



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC