* Dr. Stephen Henson wrote on Wed, Sep 02, 2009 at 15:08 +0200:
> Including a public key certificate in no way risks the
> integrity of its private key as several others have said in
> this thread.
I think this theoretically opens the possibility to brute-force
the private key.
I think that Brute
* Serge Fonville wrote on Wed, Sep 02, 2009 at 13:00 +0200:
> The chain always includes all CAs and certificates. I've done some
> googling, and it shows that you can trust 'just' the intermediate CA
> without trusting the root CA, altough this kinda obsoletes the purpose
> of the root CA.
[...]
On Wed, Sep 02, 2009, Yin, Ben 1. (NSN - CN/Cheng Du) wrote:
> OK, regarding the CA deploy, such as, we have a one root ca and 1000 sub ca
> signed by root ca. and each sub ca used as ca by 1000 terminals.so the total
> network size is 1000*1000. All our ca, including root ca and sub ca, was
> sto
>
> Br
>
> Ben
>
> -Original Message-
> From: owner-openssl-us...@openssl.org
> [mailto:owner-openssl-us...@openssl.org] On Behalf Of ext Serge Fonville
> Sent: Wednesday, September 02, 2009 1:30 PM
> To: openssl-users@openssl.org
> Subject: Re: Verify certific
sl-us...@openssl.org]
On Behalf Of ext Serge Fonville
Sent: Wednesday, September 02, 2009 1:30 PM
To: openssl-users@openssl.org
Subject: Re: Verify certificate using subordinate ca
If you are using client certificates, use a CRL at the server side.
that way you can assure that only those that you
t;
>
>
> Br
>
> Ben
>
> -Original Message-
> From: owner-openssl-us...@openssl.org
> [mailto:owner-openssl-us...@openssl.org] On Behalf Of ext Serge Fonville
> Sent: Wednesday, September 02, 2009 12:52 PM
> To: openssl-users@openssl.org
> Subject: Re:
eptember 02, 2009 12:52 PM
To: openssl-users@openssl.org
Subject: Re: Verify certificate using subordinate ca
Wat exactly are the applications you use, are they compiled against
openssl libraries?
On Wed, Sep 2, 2009 at 11:49 AM, Yin, Ben 1. (NSN - CN/Cheng
Du) wrote:
> Yes. When server send certifi
: owner-openssl-us...@openssl.org
>> [mailto:owner-openssl-us...@openssl.org] On Behalf Of ext Serge Fonville
>> Sent: Wednesday, September 02, 2009 11:59 AM
>> To: openssl-users@openssl.org
>> Subject: Re: Verify certificate using subordinate ca
>>
>> If your cli
ext Serge Fonville
Sent: Wednesday, September 02, 2009 12:43 PM
To: openssl-users@openssl.org
Subject: Re: Verify certificate using subordinate ca
Everytime an application connects to an ssl-enabled server the
certificate chain is verified.
On Wed, Sep 2, 2009 at 11:37 AM, Yin, Ben 1. (NSN - CN
without root ca? Thanks.
>>
>>
>> Br
>>
>> Ben
>>
>> -Original Message-
>> From: owner-openssl-us...@openssl.org
>> [mailto:owner-openssl-us...@openssl.org] On Behalf Of ext Serge Fonville
>> Sent: Wednesday, September 02, 2009 11:
g]
On Behalf Of ext Serge Fonville
Sent: Wednesday, September 02, 2009 11:59 AM
To: openssl-users@openssl.org
Subject: Re: Verify certificate using subordinate ca
If your client application supports that, it could be done. but no
standard compliant application allows that to my knowledge.
On Wed,
enssl-us...@openssl.org] On Behalf Of ext Serge Fonville
> Sent: Wednesday, September 02, 2009 11:28 AM
> To: openssl-users@openssl.org
> Subject: Re: Verify certificate using subordinate ca
>
> How do you think compromising a CA would occur, because a CA could
> only becom compro
sl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of ext Serge Fonville
Sent: Wednesday, September 02, 2009 11:28 AM
To: openssl-users@openssl.org
Subject: Re: Verify certificate using subordinate ca
How do you think compromising a CA would occur, because a CA could
only
rg] On Behalf Of ext Serge Fonville
> Sent: Tuesday, September 01, 2009 5:14 PM
> To: openssl-users@openssl.org
> Subject: Re: Verify certificate using subordinate ca
>
> I don't see your problem honestly. Figuring out a private key is close
> to impossible.
> And stealing
enssl-us...@openssl.org]
On Behalf Of ext Serge Fonville
Sent: Tuesday, September 01, 2009 5:14 PM
To: openssl-users@openssl.org
Subject: Re: Verify certificate using subordinate ca
I don't see your problem honestly. Figuring out a private key is close
to impossible.
And stealing it, well, th
to fix the our whole network. Thanks.
>
>
> Br
>
> Ben
>
> -Original Message-
> From: owner-openssl-us...@openssl.org
> [mailto:owner-openssl-us...@openssl.org] On Behalf Of ext Serge Fonville
> Sent: Tuesday, September 01, 2009 4:31 PM
> To: openssl-users@
ptember 01, 2009 4:31 PM
To: openssl-users@openssl.org
Subject: Re: Verify certificate using subordinate ca
Based on what you state.
There is no purpose for the root CA.
What do you mean by compromised.
If you publish a CA certificate to clients, it does not include the
key. (normally)
So the on
@openssl.org] On Behalf Of ext Yin, Ben 1.
> (NSN - CN/Cheng Du)
> Sent: Tuesday, September 01, 2009 3:06 PM
> To: openssl-users@openssl.org
> Subject: RE: Verify certificate using subordinate ca
>
> Hi Serge,
>
> My intention is to keep my root ca out of compromise. We want to
Ben
-Original Message-
From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of ext Yin, Ben 1.
(NSN - CN/Cheng Du)
Sent: Tuesday, September 01, 2009 3:06 PM
To: openssl-users@openssl.org
Subject: RE: Verify certificate using subordinate ca
Hi Serge,
My intenti
e Fonville
Sent: Tuesday, September 01, 2009 2:14 PM
To: openssl-users@openssl.org
Subject: Re: Verify certificate using subordinate ca
Hi,
Hmm...
I've had the same issue.
Basically it came down to "how do you know if the sub is reliable if
you do not know whether to trust the root?"
Hi,
Hmm...
I've had the same issue.
Basically it came down to "how do you know if the sub is reliable if
you do not know whether to trust the root?"
If you do not wish to have the root as part of the chain, create a new
chain where the sub is the root
What is the reason you do not want to use the
21 matches
Mail list logo