Re: Generating CSR for Netscape Certificate Server based CA (fwd)

2000-01-31 Thread Nicolas Aragon 

Hello,

On 29 Jan 00, at 19:48, Merton Campbell Crockett wrote:

 To date, I have not been able to generate a CSR that is acceptable to the
 Netscape Certificate Server.  All requests are rejected with a "bad DER
 encoding" error.  

I had the same error message from Navigator with a certificate that
included an underscore in the CN.

greetings

  Nico

--
Nicolás Aragón
[EMAIL PROTECTED]
Departamento de Industria y Servicios
Software AG España
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: SSL and non-repudiation (WARNING: contains product plug)

1999-11-25 Thread Nicolas Aragon 

Neil,

First of all, thanks for your response. 

On 24 Nov 99, at 14:02, Neil Costigan wrote:

 mini-advert
 
 To address the non-repudiation / SSL issue
 We at Celo developed, over the OpenSSL libs, a web browser plugin
 that allows a web content author to 'demand' that a user digitally sign
 (using pkcs7/smime)
 some data pushed out from a web server.
 
 It is envoked by standard plugin activation embed tag.
 The server then gets back via HTTPS POST an s/mime package of the
 signed data for verification and (optionally) storage for later
 non-repudiation.
 
 Both software based certificates and a number of smartcard readers /
 smart cards are supported.
 We're supporting both IE and netscape.

Your product seems to be very close to what we're looking for. 
There're a little (but needed!) point to take in account, though: 
traffic matters. Data are files (up to 100kb) and comes from 
the client. Server is Netscape Enterprise Server and this
long http posts have caused  much trouble. Number of clients
is slowly increasing. Uploads concentrate in a very short
time interval.

It wouldn't be reasonable for our customers to send the data
back and then sign them, this would be to double the traffic
and some other problems about the application logic would arise.

I can think of some workaround involving server side, but then
we loose the advantage of choosing an external packaged product
instead of developing the solution by ourselves.

OTOH, it would be nice to provide the client with a signed
confirmation from the server telling them that data have been
received.

Any ideas?

 The majority of current customers are using this to get their customers
 to confirm/sign transactions passed through html forms.

We use the "file" tag in forms and there's a plugin to validate
the file in the client yet, in order to avoid traffic when the
data is clearly invalid.

BTW, as far as I know, the ActiveCard Reader (we use it) doesn't
allow access to more than one application concurrently. We've
had many problems with this issue trying to control the
reader from a plugin while Navigator is using it to retrieve 
the stored certificate. 
 
 See http://www.celocom.ie for details and a download that one can try
 against a test server we run.

We'll do it a try. Thanks again.

With best regards,

--
Nicolás Aragón
[EMAIL PROTECTED]
Departamento de Proyectos Avanzados
Software AG España
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]