RE: Which product to buy?
On Tue, 14 May 2002, Franck Martin wrote: [snip] Who can't see that this message is digitaly signed and do you know why? I can see that it is signed, but pine doesn't know what to do with an Application/X-PKCS7-SIGNATURE bodypart. -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] MS Windows *is* user-friendly, but only for certain values of user. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Which product to buy?
On Mon, 13 May 2002, Franck Martin wrote: I like to buy a certificate from verisign or thawte that allows me to sign other certificates. The test certificate produced have the extension CA:FALSE. I'm not sure if I can sign anything with this kind of certificate, please advise... No. These certificates are not intended to sign any other entity. If you order a standard certificate, you definitely won't have a CA certificate. :) What happens when the certificate expires, how to renew it without having to renew other certificates? When your own certificate expires, you only need to renew it. What else would you like to renew? -- Erwann ABALEA [EMAIL PROTECTED] - RSA PGP Key ID: 0x2D0EABD5 - ``Do you want protocols that look nice or protocols that work nice?'' Mike Padlipsky, internet architect __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Which product to buy?
I like to buy a certificate from verisign or thawte that allows me to sign other certificates. The test certificate produced have the extension CA:FALSE. I'm not sure if I can sign anything with this kind of certificate, please advise... No you can't sign anything with that. What you need is what I think they call a cross-signing cert, last time I looked (about 2 years ago) you needed about 100K US to buy one. What happens when the certificate expires, how to renew it without having to renew other certificates? You can't. Your CA certificate life cycle must be longer than any certificates issued by it. -- Dean Povey, |em: [EMAIL PROTECTED] | JCSI: Java security toolkit Senior S/W Developer |ph: +61 7 3023 5139| uPKI: Embedded/C PKI toolkit Wedgetail Communications |fax: +61 7 3864 1282| uSSL: Embedded/C SSL toolkit Brisbane, Australia |www: www.wedgetail.com | XML Security: XML Signatures __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Which product to buy?
Does anybody sell certificate that allow you to sign certificates? Will there be still a trust problem A signs B that signs C User X trust A and receives C, is C trusted too? If B expires, but C dates are still ok, and I renew B (with which opennssl command by the way) is C still valid or do I have to renew C too? Cheers. Franck On Mon, 2002-05-13 at 08:11, Erwann ABALEA wrote: On Mon, 13 May 2002, Franck Martin wrote: I like to buy a certificate from verisign or thawte that allows me to sign other certificates. The test certificate produced have the extension CA:FALSE. I'm not sure if I can sign anything with this kind of certificate, please advise... No. These certificates are not intended to sign any other entity. If you order a standard certificate, you definitely won't have a CA certificate. :) What happens when the certificate expires, how to renew it without having to renew other certificates? When your own certificate expires, you only need to renew it. What else would you like to renew?
RE: Which product to buy?
In theory, you should be able to save the message and issue the following command: openssl smime -verify -in message.txt But I had various level of luck with this command... Let me know how does it work for you... And if anybody can make it work? Franck Martin Network and Database Development Officer SOPAC South Pacific Applied Geoscience Commission Fiji E-mail: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Web site: http://www.sopac.org/ http://www.sopac.org/ Support FMaps: http://fmaps.sourceforge.net/ http://fmaps.sourceforge.net/ Certificate: https://www.sopac.org/ssl/ This e-mail is intended for its addresses only. Do not forward this e-mail without approval. The views expressed in this e-mail may not be necessarily the views of SOPAC. -Original Message- From: Christopher Curtis [mailto:[EMAIL PROTECTED]] Sent: Tuesday, 14 May 2002 10:25 To: '[EMAIL PROTECTED]' Subject: RE: Which product to buy? On Tue, 14 May 2002, Franck Martin wrote: BTW: Who can't see that this message is digitaly signed and do you know why? PINE tells me that there is a PKCS#7 attachment, but I don't have the tools installed to verify it ... rgds, Chris __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] smime.p7s Description: application/pkcs7-signature
RE: Which product to buy?
1) I had report of outlook XP carshing for same reasons I read somewhere that outlook is trying to get the cert above in the trust... I can't find anything else on the subject. Do you have an idea why does it hangs? 2) This is the reason why I sign my messages in clear text, so that any mail client can read my message. You should be able to save the message and process it with openssl. I'm not sure here about all the required commands. openssl smime -verify -in message.txt But I think openssl is bugged or not finished on this part... Franck Martin Network and Database Development Officer SOPAC South Pacific Applied Geoscience Commission Fiji E-mail: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Web site: http://www.sopac.org/ http://www.sopac.org/ Support FMaps: http://fmaps.sourceforge.net/ http://fmaps.sourceforge.net/ Certificate: https://www.sopac.org/ssl/ This e-mail is intended for its addresses only. Do not forward this e-mail without approval. The views expressed in this e-mail may not be necessarily the views of SOPAC. -Original Message- From: GOLDING,CHARLTON (Non-HP-Corvallis,ex1) [mailto:[EMAIL PROTECTED]] Sent: Tuesday, 14 May 2002 10:44 To: '[EMAIL PROTECTED]' Subject: RE: Which product to buy? Franck, Well two things. 1. When I get some of these signed messages (not just yours) and when those have certs my system doesn't like, this can make outlook hang. I expect win32 things to hang, blue screen or whatever so this isn't a complaint, just a reality of the OS. For those messages on a win32 system I usually have to delete them to get the email reader to work again. 2. An older version of pine on one of my systems doesn't seem to have any awareness of certificates and ignores them. It came around before Certificate/signed email was a common thing so doesn't have code to deal with the signature. Other email readers, or even email host applications might very well strip certificates like they do some attachments. Chet smime.p7s Description: application/pkcs7-signature