Learning the basics.
I'm trying to get my head round a basic setup. I want to use ssl between a java client and IIS server, I'm happy with a self certification system, i.e. not using Thawte etc. since it is currently only a two terminal setup. From what I've read to date, openssl seems to fit the bill. I hope so. Please correct me if I'm wrong. 1. 'me' as CA Generate a key pair and 'self sign' it. 2. Endpoint A (client) Generate a certificate request send it to CA CA signs it and returns a certificate. 3. Endpoint B (server/recipient of REST service) Registers the CA as a trusted authority (how?) 'Has access' to the private key of the CA (the server and CA are in reality one and the same organisation) 4. The client encrypts using the public key returned by the CA 5. The server decrypts using the private key. 1. Is this logic OK. 2., I've used the ca.pl scripts so far which seem to handle most of what I'm after. I'm basing it on http://www.mobilefish.com/developer/openssl/openssl_quickguide_create_ca.html How easy is it to translate this into what I want please? 3. Is openssl the right tool for this scenario? regards -- Dave Pawson XSLT XSL-FO FAQ. http://www.dpawson.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Learning the basics.
Registers the CA as a trusted authority (how?) Yes, that is the entry point into the trust model. A client can only trust you as much as he trusts the way he got the certificate of the CA that certified you. So private meetings and USB sticks are usually a decent way to go I believe. This indeed means that if you downloaded your web browser from a dodgy source (and the Internet is dodgy) in theory you can't really trust the CA certificates that were delivered with it :) Dave Pawson wrote: I'm trying to get my head round a basic setup. I want to use ssl between a java client and IIS server, I'm happy with a self certification system, i.e. not using Thawte etc. since it is currently only a two terminal setup. From what I've read to date, openssl seems to fit the bill. I hope so. Please correct me if I'm wrong. 1. 'me' as CA Generate a key pair and 'self sign' it. 2. Endpoint A (client) Generate a certificate request send it to CA CA signs it and returns a certificate. 3. Endpoint B (server/recipient of REST service) Registers the CA as a trusted authority (how?) 'Has access' to the private key of the CA (the server and CA are in reality one and the same organisation) 4. The client encrypts using the public key returned by the CA 5. The server decrypts using the private key. 1. Is this logic OK. 2., I've used the ca.pl scripts so far which seem to handle most of what I'm after. I'm basing it on http://www.mobilefish.com/developer/openssl/openssl_quickguide_create_ca.html How easy is it to translate this into what I want please? 3. Is openssl the right tool for this scenario? regards -- Alain Damiral, I hope this message makes me look like a very intelligent person Université Catholique de Louvain - student __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Learning the basics.
On 6/15/06, Dave Pawson [EMAIL PROTECTED] wrote: 3. Endpoint B (server/recipient of REST service) Registers the CA as a trusted authority (how?) 'Has access' to the private key of the CA (the server and CA are in reality one and the same organisation) While that would be possible in theory, that's discouraged because of: 4. The client encrypts using the public key returned by the CA 5. The server decrypts using the private key. isn't the way it should be done. Your ca person/team/machine whatever should be as isolated from any day-to-day services you provide. One would normally issue another certificate for the server, which in turn is trusted by the client, because it trusts the ca. There should even be a error saying something about encrypting (directly) to a self-signed certs public key. Your reference does say The server returns the site's certificate which does NOT mean the site's ca certificate. best regards, K. Hoercher __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Learning the basics.
Even if your browser was personally installed by the Pope, you still have the same problem. First, the self signed root certificates included in every machine generally don't represent any duly constituted public authority. They're typically the product of companies that can be bought and sold, and have been bought and sold, sometimes by some iffy new owners. We should all be thankful that the recent acquiror of GeoTrust wasn't a front for the Russian mafia. There are no assurances that won't happen in the future, it would be a perfectly legal transaction. Imagine XYZ Enterprises purchasing the birth and death records department, the building inspections department, the health inspection department at your city hall. In this online space we inhabit, that's the way it's done. There is only one source of duly constituted public authority that I know of that is seriously trying to do something about the situation. Second, the certifications themselves are typically meaningless. If you have a phone line you can get that lock icon on your site. You don't have to sign personally. You don't have to demonstrate that you're anything but a career criminal. All they need to know is that their robot can place a call to the phone number you gave, and that you can type a control number from a browser into a phone keypad. Imagine a world where building permits were signed by bunch_of_architects.com, structural_engineers_r_us.com and building_inspectors.com instead of licensed professionals - individual human beings - who could be held accountable for their work. Yep, that's our online world. The result is the urban slum that is the Internet. (See my sig for a view of how this has affected the world.) Third, as you point out, there is no standard by which identity is established in the RA (registration authority) process. I suggest that even with private meetings and USB sticks, you can still only trust a universe that is as big as your collegial group, maybe two or three relationships removed from yourself as long as no serious money is involved. Tabelio is the only thing I know of that tries to remedy this situation by issuing a truly reliable universal ID credential while at the same time fully protecting individual privacy (full disclosure: I am involved with Tabelio). SSL is great. It's time to connect it to the real world using methods and procedures that have been working well for thousands of years. Alain Damiral wrote: Registers the CA as a trusted authority (how?) Yes, that is the entry point into the trust model. A client can only trust you as much as he trusts the way he got the certificate of the CA that certified you. So private meetings and USB sticks are usually a decent way to go I believe. This indeed means that if you downloaded your web browser from a dodgy source (and the Internet is dodgy) in theory you can't really trust the CA certificates that were delivered with it :) Dave Pawson wrote: I'm trying to get my head round a basic setup. I want to use ssl between a java client and IIS server, I'm happy with a self certification system, i.e. not using Thawte etc. since it is currently only a two terminal setup. From what I've read to date, openssl seems to fit the bill. I hope so. Please correct me if I'm wrong. 1. 'me' as CA Generate a key pair and 'self sign' it. 2. Endpoint A (client) Generate a certificate request send it to CA CA signs it and returns a certificate. 3. Endpoint B (server/recipient of REST service) Registers the CA as a trusted authority (how?) 'Has access' to the private key of the CA (the server and CA are in reality one and the same organisation) 4. The client encrypts using the public key returned by the CA 5. The server decrypts using the private key. 1. Is this logic OK. 2., I've used the ca.pl scripts so far which seem to handle most of what I'm after. I'm basing it on http://www.mobilefish.com/developer/openssl/openssl_quickguide_create_ca.html How easy is it to translate this into what I want please? 3. Is openssl the right tool for this scenario? regards -- Wes Kussmaul CIO The Village Group 738 Main Street Waltham, MA 02451 781-647-7178 My uncle likes to say that the world’s biggest troubles started when the serpent said, “Try this fruit, and by the way if a bunch of people collectively calling themselves Arthur Andersen signs something it’s the same as if a person named Arthur Andersen signed it.” I don’t get the serpent and fruit part. Must be some Swiss mythology thing. He can be a bit obscure. P.K. Iggy _How I Like Fixed The Internet_ (Tales from the Great Infodepression of 2009 and the prosperity that followed) __ OpenSSL Project http://www.openssl.org User Support Mailing List
Re: Learning the basics.
On Sat, Jun 17, 2006 14:20:07 PM -0400, Wes Kussmaul ([EMAIL PROTECTED]) wrote: First, the self signed root certificates included in every machine generally don't represent any duly constituted public authority... There is only one source of duly constituted public authority that I know of that is seriously trying to do something about the situation. And that would be? Seriously: who are you referring to, if I may ask? Thanks, Marco -- Marco Fiorettimfioretti, at the server mclink.it Fedora Core 3 for low memory http://www.rule-project.org/ Any medium powerful enough to extend man's reach is powerful enough to topple his world. To get the medium's magic to work for one's aims rather than against them is to attain literacy. Alan Kay, Computer Software, Scientific American, Sep. 1984 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]