WebApp Sec mailing list archives
Re: Open Source Certificate authority
From: "Keith W. McCammon" <keith-list () mccammon org>
Date: Tue, 23 Sep 2003 14:19:30 -0400
Thanks for all of the useful info. Let me narrow my request one step more so I don't spend any time installing and configuring something that does not work. The point of using an alternate Certificate Authority is to mimic the exact communication between the client and server. Our application has an interface to it that 3rd parties develop their own tools to utilize. These tools are not browsers. Anything like a certificate warning for the certificate authority, mismatch domain name or (expiration) will cause the exchange of information to fail (or error out). The automated tools we use in testing behave the same. So to clarify:
Typically, certificate-dependent apps/services will not present a warning message if:
- The issuing CA is trusted by the software/system that is attempting to make us of or validate the cert. Verisign, Entrust, et al. happen to be trusted by the major software vendors. As such, clients need not download the CA certification path and/or CA certificate, and will not receive any "untrusted authority" type messages.
- The certificate CN matches the host name requested by the client- Neither the host certificate, nor any certificates in the chain of trust have been revoked or have expired.
- And so on...
1. Is there an app that anyone is familiar with that will duplicate Verisign's Certificate Authority in a way that would eliminate any type of warning. (It seems like apache and openssl are out).
Sure, any CA that is trusted by the client(s), and any client software that can ignore other non-trust-related issues.
Regarding your OpenSSL citation, OpenSSL is not returning an error to the client; the client is generating the error based on the request information, as well as the information contained within the certificate in question. It's not so much a matter of one side sending the other an error message--it's a mismatch.
2. Does freshmeats.com's CAtool, MS Cert Authority, or any other software supply certificates that would not present any warning message?
Again, this is dependent on the client. If the client is set up to ignore these errors, then they're not a problem. If the client is incapable of ignoring these errors, then the client needs to:
- Install the CA certificate and/or path to prevent trust errors- Use the correct host name (matching the CN associated with the certificate)
- Ignore things like revocation and expiration, if the certificate is known to be out of date or otherwise invalid.
Hope this helps. Sorry for the length. Hope I'm not missing the point entirely.
Cheers, Keith
Current thread:
- Open Source Certificate authority Jared Ingersoll (Sep 23)
- Re: Open Source Certificate authority Don Fike (Sep 23)
- Re: Open Source Certificate authority Keith W. McCammon (Sep 23)
- <Possible follow-ups>
- RE: Open Source Certificate authority Tenorio, Leandro (Sep 23)
- RE: Open Source Certificate authority Jared Ingersoll (Sep 23)
- Re: Open Source Certificate authority Alex Russell (Sep 23)
- Re: Open Source Certificate authority George W. Capehart (Sep 24)
- Re: Open Source Certificate authority Chackan Lai (Sep 23)
- Re: Open Source Certificate authority Keith W. McCammon (Sep 24)
- RE: Open Source Certificate authority Dave Ockwell-Jenner (Sep 24)
- Re: Open Source Certificate authority Dorian Moore (Sep 24)
- RE: Open Source Certificate authority TUER, DON (Sep 24)
- Re: Open Source Certificate authority Alex Russell (Sep 23)
- RE: Open Source Certificate authority Lapinski, Michael (Research) (Sep 23)
- RE: Open Source Certificate authority Tenorio, Leandro (Sep 23)
- RE: Open Source Certificate authority Chip Kelly (Sep 24)
- RE: Open Source Certificate authority Lapinski, Michael (Research) (Sep 24)
- RE: Open Source Certificate authority Jared Ingersoll (Sep 24)
- RE: Open Source Certificate authority Law, Gary, (FNB) (Sep 24)
- RE: Open Source Certificate authority Jared Ingersoll (Sep 24)
(Thread continues...)