WebApp Sec mailing list archives
Re: Open Source Certificate authority
From: Alex Russell <alex () netWindows org>
Date: Tue, 23 Sep 2003 12:28:40 -0500
On Tuesday 23 September 2003 11:10, Jared Ingersoll wrote:
Thanks for all of the useful info. Let me narrow my request one step more so I don't spend any time installing and configuring something that does not work.
OpenSSL will in all likelyhood work. Whether or not it does what you want is another question entirely.
The point of using an alternate Certificate Authority is to mimic the exact communication between the client and server. Our application has an interface to it that 3rd parties develop their own tools to utilize. These tools are not browsers. Anything like a certificate warning for the certificate authority, mismatch domain name or (expiration) will cause the exchange of information to fail (or error out). The automated tools we use in testing behave the same. So to clarify: 1. Is there an app that anyone is familiar with that will duplicate Verisign's Certificate Authority in a way that would eliminate any type of warning. (It seems like apache and openssl are out).
I think you fundamentally missunderstand what a CA does and the service it provides. If you could just "duplicate" the Verisign/Thawte/whoever CA, you could issue snakeoil certs that were for all mathematical purposes actually derived from their root of trust. The security implications of this are pretty self-evident.
2. Does freshmeats.com's CAtool, MS Cert Authority, or any other software supply certificates that would not present any warning message?
The way to avoid error messages is to register your home-grown CA with the clients that are going to be attempting to verify the certs you present. Any competently designed PKI client will allow for CA addition and revocation. Barring that, you will have to rely on the chain of trust already embedded in the clients, which requires going through the CA's already registered with them (one way or another). There is no third option. I STRONGLY suggest you find a good primer on PKI as your question implies a basic missunderstanding of what gurantees PKI will and will not provide you. Regards. -- Alex Russell alex () burstlib net BD10 7AFC 87F6 63F9 1691 83FA 9884 3A15 AFC9 61B7 alex () netWindows org F687 1964 1EF6 453E 9BD0 5148 A15D 1D43 AB92 9A46
Current thread:
- Open Source Certificate authority Jared Ingersoll (Sep 23)
- Re: Open Source Certificate authority Don Fike (Sep 23)
- Re: Open Source Certificate authority Keith W. McCammon (Sep 23)
- <Possible follow-ups>
- RE: Open Source Certificate authority Tenorio, Leandro (Sep 23)
- RE: Open Source Certificate authority Jared Ingersoll (Sep 23)
- Re: Open Source Certificate authority Alex Russell (Sep 23)
- Re: Open Source Certificate authority George W. Capehart (Sep 24)
- Re: Open Source Certificate authority Chackan Lai (Sep 23)
- Re: Open Source Certificate authority Keith W. McCammon (Sep 24)
- RE: Open Source Certificate authority Dave Ockwell-Jenner (Sep 24)
- Re: Open Source Certificate authority Dorian Moore (Sep 24)
- RE: Open Source Certificate authority TUER, DON (Sep 24)
- Re: Open Source Certificate authority Alex Russell (Sep 23)
- RE: Open Source Certificate authority Lapinski, Michael (Research) (Sep 23)
- RE: Open Source Certificate authority Tenorio, Leandro (Sep 23)
- RE: Open Source Certificate authority Chip Kelly (Sep 24)
- RE: Open Source Certificate authority Lapinski, Michael (Research) (Sep 24)
(Thread continues...)