[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [saml-dev] Welcome to Crazy Irving's 24 Hour Certificate Depot!
Irving, Awesome. I'm still trying to catch up on this list, but thanks for the hard work getting this stuff working. Don; (I'm working on 14 hours sleep since Monday morning myself :-) Irving Reid wrote: > At prices like these, you'll want one for the house and the car! And, even > better, the first n customers receive a free set of Ginsu private keys! > > (I really need to get more sleep when I'm on the road...) > > First, some background. Owners of major domain names (like, say, ibm.com or > sun.com) can get really snippy if they think you're issuing certificates > that could be used to set up fake web servers and trick people into thinking > they're official company property. This is something I hadn't really thought > of before this week, or I'd have suggested we take a different approach to > host naming. > > For that reason, I've taken a few steps. First, the CA cert says "OASIS SAML > Demo" all over, and doesn't chain to a real trusted root. Second, I've set > the certificate lifetime on the issued certs to 60 days, so even if they > escape they won't last too much past the demo. Third, I'm overriding the OU > and O fields in your certificate requests and replacing them with "O=OASIS > SAML Demo". I'm comfortable with this as being clear enough that we can't be > blamed if someone clicks past one of these certs. > > The next thing I did was override the extensions in your requests. According > to the Baltimore PKI expert who helped me get my CA set up, there's no harm > (in our environment) with having more extensions than you really need in > your certs. So, I'm issuing everybody's certs with the works - Netscape SSL > client and server, everybody else's SSL client and server, and signing (for > S/MIME). > > So, with that, I've attached the first batch. I've done everybody both as a > binary (DER) format .p7b file (PKCS#7), and as a text PEM format x509 > certificate - it's the same cert, just in different output formats. > > There were two vendors I had trouble with. > > The Crosslogix requests were for DSA keys; I'm only set up to do RSA right > now. RSA is the safe choice for SSLv3. > > I'm getting error messages that I don't understand when I try to process the > Sun request. I've attached an OpenSSL dump of the request, in case anyone > else can spot something strange, but to my eye the request seems fine. I > tried reformatting it a few different ways, but no luck. I'll pass it on to > my expert, but it would help to know how you generated it. In the mean time, > can you import a PKCS#12 bundle with server-generated keys? I can build a > keypair from scratch, certify it, send you the .p12, and phone you with the > passphrase to unlock the private key. > > The attached .zip file includes all the requests I have so far, and the > certificates I was able to produce. The successful contestants are, in no > particular order, > > Novell > Oblix > Baltimore > Sigaba > IBM > Entegrity > ePeople > > - irving - > > > ----------------------------------------------------------------------------------------------------------------- > The information contained in this message is confidential and is intended > for the addressee(s) only. If you have received this message in error or > there are any problems please notify the originator immediately. The > unauthorised use, disclosure, copying or alteration of this message is > strictly forbidden. Baltimore Technologies plc will not be liable for > direct, special, indirect or consequential damages arising from alteration of the > contents of this message by a third party or as a result of any virus being > passed on. > > This footnote confirms that this email message has been swept for Content Security threats, including > computer viruses. > > http://www.baltimore.com > > > This footnote confirms that this email message has been swept by > Baltimore MIMEsweeper for Content Security threats, including > computer viruses. > > ------------------------------------------------------------ > Name: SAML Demo Certificates.zip > SAML Demo Certificates.zip Type: Zip Compressed Data (application/x-zip-compressed) > Encoding: BASE64
Attachment:
don.bowen.vcf
Description: Card for Don Bowen
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC