Richard Levitte - VMS Whacker [EMAIL PROTECTED] writes:
From: [EMAIL PROTECTED] (Peter Gutmann)
pgut001 Given that (statistically speaking) the client will be a
pgut001 Windoze box with a time which is more or less random, the use
pgut001 of absolute timestamps doesn't add much, it would have
"Florian Oelmaier" [EMAIL PROTECTED] writes:
We do the same, as we directly connect to the CA-database, but we set
thisUpdate to the actual time as this seems to make more sense. It would be
fine to have an option within OpenSSL that says: "Trust only responses with a
thisUpdate not more than x
Rodney Thayer [EMAIL PROTECTED] writes:
by the way, dumpasn1 doesn't quite parse this correctly, it's got n, d, p, q,
dmp1, dmq1, and iqmp. The display of 'n' is missing the last byte.
Can you send me the file? (I assume that's my dumpasn1 you're referring to).
Peter.
Michael StrM-vder [EMAIL PROTECTED] writes:
Dr S N Henson wrote:
So does anyone have some responder addresses I can test this stuff against?
http://www.valicert.com/ocsp/ - you might already know this...
Isn't that the one where all the certs (on the interop web page anyway) have
expired?
Rich Salz [EMAIL PROTECTED] writes:
You might look at Identrus, www.identrus.com, since their requirement for
OCSP drove many vendors, and see what partners and vendors they list.
That's one of the by-invitation-only ones (they were nice enough to let me use
it for interop testing, but I
Dr S N Henson [EMAIL PROTECTED] writes:
So does anyone have some responder addresses I can test this stuff against? I
currently know of two and there must be several more out there.
That may be all there are, I was testing this a while back and had a hell of a
time finding any responders
Goetz Babin-Ebell [EMAIL PROTECTED] writes:
Everybody can issue a CRL.
Only a CA with CRL signing enabled can issue a CRL.
A CA can issue a CRL with own revokated certificates but it can issue a CRL
with revoked certificates of other CAs (at least in X509v3...)
A CA can't revoke another CA's
Goetz Babin-Ebell [EMAIL PROTECTED] writes:
Peter Gutmann wrote:
Goetz Babin-Ebell [EMAIL PROTECTED] writes:
Everybody can issue a CRL.
Only a CA with CRL signing enabled can issue a CRL.
Everybody who can generate a certificate with the propper flags can generate a
CRL.
Sure
Mats Nilsson [EMAIL PROTECTED] writes:
Should a self-signed root certificate ever need to be revoked, shall it list
itself in its usual CRL(s), as the last thing it does before it is thrown
away, or is it sufficient (from its users' standpoint) that it simply ceases
to issue more CRLs?
Noone
nagendra [EMAIL PROTECTED] writes:
I've appended the PKCS#7 request generated by IIS to the end of this email.
IIS creates the header "BEGIN NEW CERTIFICATE REQUEST", which is interpreted
as an old X509 request (see pem.h).
Ohgodohgod what a mess! That's PKCS #7 signed data containing a data
Jeffrey Altman [EMAIL PROTECTED] writes:
Quoting from Peter Gutmann's paper when he describes the use of the ToolHelp
library:
"Since even a moderately loaded system can contain over 500 heap
objects and 50 modules, we need to limit the duration of the poll
to a second or two, which is
PaweM-3 Krawczyk [EMAIL PROTECTED] writes:
My question is if this is a bug in MS software (it shouldn't be generating
such certs), or OpenSSL is getting this wrong as a signed number?
AFAIK it's bugs in both. MS have always got the sign bit wrong in their
encoding, but it's not that much of a
Borland has made its command-line compiler tools freely available:
http://www.borland.com/bcppbuilder/freecompiler
It's not quite free, they make you run a serious gauntlet of registation and
logging and cookies and javascript before you can finally get a copy. It'd
be less painful if they
Dr Stephen Henson [EMAIL PROTECTED] writes:
It would be possible to add BF cipher suites giving them experimental
numbers but ideally some "official" numbers should be used.
There's an infintely-delayed informational RFC for BF which I have sitting
on a machine somewhere, if it's required (to
Dr Stephen Henson [EMAIL PROTECTED] writes:
Is there any circumstances where the environment isn't safe? I believe extra
privs are normally needed to read another users processes environment.
Under DEC Unixen you can read anyone's environment without any extra privs
(ps -wwae or a variant
Dr Stephen Henson [EMAIL PROTECTED] writes:
One problem with X9.42 DH. I haven't seen any examples of the domain
parameter generation (the one based on DSA) that have m 160 (Other then the
S/MIME examples stuff which so far I can't reproduce and which no one says
they've independently
"Sean O'Dell" [EMAIL PROTECTED] writes:
HELP
"What was the name of the Beatles film released in July 1965?".
That's correct, and it looks like he's won a chance to read the FAQ...
Peter.
__
OpenSSL Project
Chris Ridd [EMAIL PROTECTED] writes:
I read Peter Guttmann's screed on X.509 and char sets last night -
interesting, though he does fall into the trap of discussing all the myriad
of drafts, and forgetting that these are just drafts. The standards
themselves are less ambiguous.
The reason I
Ben Laurie [EMAIL PROTECTED] writes:
I am in search of the following references. Does anybody know where them can
be found?
ISO/IEC 8824-1:1995: Information technology - Abstract Syntax
Notation One (ASN.1) -- Specification of basic notation. 1995
Haha. Prepare to be thoroughly
"Qin, Xiangping" [EMAIL PROTECTED] writes:
I wish to add some image or voice to the certificate.
Can you give me some advice on how to do it?
Just define an OID and put it in the altName as an otherName. I did this
about a year ago for the MPEG-of-cat certificate, which you can get from
"Paul Keogh" [EMAIL PROTECTED] writes:
I have a problem decoding a CRL which is missing the VERSION field but which
has extensions present.
This is a known problem with CRL's, to accomodate these things you have to
ignore the version number and be prepared to handle extensions regardless of
Is it still illegal to kill people who post unsubscribe messages to mailing
lists?
Normally I'd let it pass, but since he posted the same thing multiple times
after having mixed in a bucketful of HTML and passed it through a blender set
on "frappe", I think the application of
The best way is to talk Peter Gutmann into donating his randomness-gathering
code (or to implement something similar). For efficiency that should
probably be combined with a seed file.
This has already been done so it could be used with GPG (actually it's always
been available for the asking
"Chad C. Mulligan" [EMAIL PROTECTED] writes:
As far as I know El-Gammal has everything you want from PKC and it's used in
GNU's GPG, the PGP replacement. It's unpatented, too, and free for use
anywhere.
So why hasn't anyone ever put an El-Gammal cipher suite in an SSL
implementation? Is it
24 matches
Mail list logo
