Hi Mathias I really appreciate your detailed email. It is helpful for me. I have some basic knowledge of PKI. I have one question how openCA can help in PKI. I mean Does it provide all corresponding functions, just install and play with?. I mean should I activate httpd and install openCA some where in appachi server. Or build my own connection and develop my own secure protocol? Thanks again shakeel -- Shakeel Ahmad
"Donate the Money to Earthquake Victims. The average income in Pakistan is about 50$ per month. It means you can give average life for only 50$ PM." Quoting Matthias Alsmann <[EMAIL PROTECTED]>: > Hi, > first of all you should have lots of time to read through some books / > internet pages / ... > When I started with my PKI I ran over the "OpenSource PKI Book", but I > did not read it because I already had some knowledge at that time, but > perhaps it will help you: > http://ospkibook.sourceforge.net/ > > Furthermore I would recommend to get some knowledge about the following > topics: > - hashing algorithms > - symmetric encryption / asymmetric = public-private-key encryption > - What are certificates? what is x509v3 ? difference of PGP to x509v3 > certificates > - How can I check the validity of a certificate? how can I trust in a > certificate / ca? how can i check the integrity of a certificate? CRL > vs. OCSP > - some knowledge about crypto analysis could also be helpful if you > have to decide which hashing and encrpytion algorithms to use (e.g. > known attacks on md5, importance of the key length, ...) > - you should also be familiar with Linux and Perl if you want to dig a > little bit deeper into OpenCA > - ... > > I used a very good book to get a lot of that knowledge but it is in > german and i don't know if it is available in other languages: > Wohlmacher, Petra: Digtale Signaturen und Sicherheitsinfrastrukturen > - Grundlagen, Sicherheitsaspekte, Realisierungen, Anwendungen; > Höhenkirchen: TT Verlag für Informationstechnik GmbH, 2001; ISBN: > 3-936052-01-8 > > Here are some links that could be perhaps helpful for you: > A glossary I used several times: > http://www.dcoce.ox.ac.uk/glossary/ > The SHA-1 standard: > http://csrc.nist.gov/publications/fips/fips180-2/fips180-2withchangenotice.pdf > The DES standard: > http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf > The draft for SCEP (please check if there is a newer one available): > http://ietfreport.isoc.org/all-ids/draft-nourse-scep-13.txt > Some information about hashing crypto analysis: > http://cm.bell-labs.com/who/akl/hash.pdf > The OpenCA documentation (also check if a newer one is available): > http://albert.openca.org/openca/docs/ > Usefull RFCs: > 1321 -> MD5 > 2401 - about 2412 -> IPSec ... > 2527 -> X509 Certificate Policy and Certification Practice Statement > 2560 -> X509 - OCSP (Online Certificate Status Protocol) > 3280 -> X509 - CRL (Certificate Revocation List) > Blog from Bruce Schneier about "SHA-1 broken": > http://www.schneier.com/blog/archives/2005/02/sha1_broken.html > A report about collisions for hash functions: > http://eprint.iacr.org/2004/199.pdf > And last but not least you should have a look at wikipedia in the > beginning because it is sometimes easier to understand and get some > basic knowledge before starting with the real details ;-) > > In the beginning its really hard to get into all that details but > later it is real fun to work with PKIs and all the possible > cryptographic scenarios. > > Kind regards and a nice weekend, > > Matthias > > > On 7/6/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > Hi > > I want to develop PKI infrastructure formy organization but I am new in > this > > area. Can any body guide me from where I should start?. What should be my > > starting point > > > > thanks > > shakeel > > -- > > Shakeel Ahmad > > > > "Donate the Money to Earthquake Victims. > > The average income in Pakistan is about 50$ per month. > > It means you can give average life for only 50$ PM." > > > > > > > > Quoting Dominique Lohez <[EMAIL PROTECTED]>: > > > > > Krzysztof Ryba a e'crit : > > > > Hello > > > > > > > > Three months ago Nicolas Vahlas wrote, but there was no answer: > > > > > > > >> I have an installation of OpenCA where the CA certificate has expired. > > > >> This was a self-signed CA certificate. > > > >> I would like to renew this certificate i.e. extend the expiration date > > > >> without change the rest of the certificates data. > > > >> > > > >> Is there a way to do this ? > > > >> > > > >> What if I use the "General" > "Initialization" > "Initialize the > > > >> Certification Authority" > "Self Signed CA Certificate (from altready > > > >> generated request)" functionality of the OpenCA web interface ? > > > >> > > > >> If not, should I use OpenSSL directly ? How is this possible ? > > > >> > > > >> > > > >> > > > > > > > > Now I have very similar problem: I have to issue certificate for user > > > > which will be valid for next 24 months but unfortunately CA self-signed > > > > certificate is going to be expired in 11 months so I have to f.e. > extend > > > > the expiration date of CA cert. > > > > > > > > Is is (and if) how to do this? Could anyone help and give me/us some > hint. > > > > > > > > Regards, > > > > > > > > > > > Unfortunately a CA certificate should not be renewed before the pki > > > infrastructure has became obsolete !! > > > Thus the CA certicate always have serial number 0. > > > Working around this problem could be done using openssl but this should > > > not be recommended. > > > > > > When i encountered a similar problem , i redifined a new pki > > > infrastructure from the scratch and provide new certificate to all the > > > old users. > > > > > > Sorry, > > > > > > Dominique > > > > > > ------------------------------------------------------------------------- > > > This SF.net email is sponsored by DB2 Express > > > Download DB2 Express C - the FREE version of DB2 express and take > > > control of your XML. No limits. Just data. Click to get it now. > > > http://sourceforge.net/powerbar/db2/ > > > _______________________________________________ > > > Openca-Users mailing list > > > [email protected] > > > https://lists.sourceforge.net/lists/listinfo/openca-users > > > > > > > > > ------------------------------------------------------------------------- > > This SF.net email is sponsored by DB2 Express > > Download DB2 Express C - the FREE version of DB2 express and take > > control of your XML. No limits. Just data. Click to get it now. > > http://sourceforge.net/powerbar/db2/ > > _______________________________________________ > > Openca-Users mailing list > > [email protected] > > https://lists.sourceforge.net/lists/listinfo/openca-users > > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > Openca-Users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openca-users > ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Openca-Users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openca-users
