Hello list,
I'm contemplating running my own CA to implement the new proposed ISP for validation of S/MIME certificates via DANE.
I already use self-signed for my MX servers (with 3 1 1 dane records on TCP port 25) but I don't want to use self-signed for S/MIME for user specific x.509 certs because
A) That's potentially a lot of DNS records B) That requires a hash of the e-mail addresses in DNS
Instead, I will be using a wildcard in DNS with an intermediary that signs the user x.509 certificates.
Using an intermediary to sign their certificates though means I can't just revoke their certificates by removing the DNS certificate, I'll need to provide an OCSP server for when one of their private keys gets compromised.
I found https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1... but it looks like that is intended for enterprise, more complex than I need.
Anyone know of a good simple script for providing OCSP ??
-=-
Not relevant to question but just important for me to note, I will *not* be asking people to install my root certificate in their e-mail clients. I think it is a bad practice to get users in the habit of installing root certificates.
I think the PKI system has way way way to many root certificates as it is. I want a world where DANE validates most certificates, and only a few root certificates are needed for things like banks where EV certificates are a must.
DANE as a way to validate S/MIME I think will be a godsend to e-mail security, I hope clients implement it.
https://www.openca.org/ might fit my needs.
On 04/14/2017 06:29 PM, Alice Wonder wrote:
Hello list,
I'm contemplating running my own CA to implement the new proposed ISP for validation of S/MIME certificates via DANE.
I already use self-signed for my MX servers (with 3 1 1 dane records on TCP port 25) but I don't want to use self-signed for S/MIME for user specific x.509 certs because
A) That's potentially a lot of DNS records B) That requires a hash of the e-mail addresses in DNS
Instead, I will be using a wildcard in DNS with an intermediary that signs the user x.509 certificates.
Using an intermediary to sign their certificates though means I can't just revoke their certificates by removing the DNS certificate, I'll need to provide an OCSP server for when one of their private keys gets compromised.
I found https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1... but it looks like that is intended for enterprise, more complex than I need.
Anyone know of a good simple script for providing OCSP ??
-=-
Not relevant to question but just important for me to note, I will *not* be asking people to install my root certificate in their e-mail clients. I think it is a bad practice to get users in the habit of installing root certificates.
I think the PKI system has way way way to many root certificates as it is. I want a world where DANE validates most certificates, and only a few root certificates are needed for things like banks where EV certificates are a must.
DANE as a way to validate S/MIME I think will be a godsend to e-mail security, I hope clients implement it. _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
On 04/14/2017 10:41 PM, Alice Wonder wrote:
https://www.openca.org/ might fit my needs.
their Centos repo does not exist, it seems?
On 04/14/2017 06:29 PM, Alice Wonder wrote:
Hello list,
I'm contemplating running my own CA to implement the new proposed ISP for validation of S/MIME certificates via DANE.
I already use self-signed for my MX servers (with 3 1 1 dane records on TCP port 25) but I don't want to use self-signed for S/MIME for user specific x.509 certs because
A) That's potentially a lot of DNS records B) That requires a hash of the e-mail addresses in DNS
Instead, I will be using a wildcard in DNS with an intermediary that signs the user x.509 certificates.
Using an intermediary to sign their certificates though means I can't just revoke their certificates by removing the DNS certificate, I'll need to provide an OCSP server for when one of their private keys gets compromised.
I found https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1...
but it looks like that is intended for enterprise, more complex than I need.
Anyone know of a good simple script for providing OCSP ??
-=-
Not relevant to question but just important for me to note, I will *not* be asking people to install my root certificate in their e-mail clients. I think it is a bad practice to get users in the habit of installing root certificates.
I think the PKI system has way way way to many root certificates as it is. I want a world where DANE validates most certificates, and only a few root certificates are needed for things like banks where EV certificates are a must.
DANE as a way to validate S/MIME I think will be a godsend to e-mail security, I hope clients implement it. _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Oh I don't know, their github works.
However it seems that it isn't able to deal with more than one ocsp signing key.
On 04/16/2017 08:40 AM, Robert Moskowitz wrote:
On 04/14/2017 10:41 PM, Alice Wonder wrote:
https://www.openca.org/ might fit my needs.
their Centos repo does not exist, it seems?
On 04/14/2017 06:29 PM, Alice Wonder wrote:
Hello list,
I'm contemplating running my own CA to implement the new proposed ISP for validation of S/MIME certificates via DANE.
I already use self-signed for my MX servers (with 3 1 1 dane records on TCP port 25) but I don't want to use self-signed for S/MIME for user specific x.509 certs because
A) That's potentially a lot of DNS records B) That requires a hash of the e-mail addresses in DNS
Instead, I will be using a wildcard in DNS with an intermediary that signs the user x.509 certificates.
Using an intermediary to sign their certificates though means I can't just revoke their certificates by removing the DNS certificate, I'll need to provide an OCSP server for when one of their private keys gets compromised.
I found https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1...
but it looks like that is intended for enterprise, more complex than I need.
Anyone know of a good simple script for providing OCSP ??
-=-
Not relevant to question but just important for me to note, I will *not* be asking people to install my root certificate in their e-mail clients. I think it is a bad practice to get users in the habit of installing root certificates.
I think the PKI system has way way way to many root certificates as it is. I want a world where DANE validates most certificates, and only a few root certificates are needed for things like banks where EV certificates are a must.
DANE as a way to validate S/MIME I think will be a godsend to e-mail security, I hope clients implement it. _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
What about the pki package that comes with Centos?
pki-server and pki-ca?
On 04/16/2017 11:54 AM, Alice Wonder wrote:
Oh I don't know, their github works.
However it seems that it isn't able to deal with more than one ocsp signing key.
On 04/16/2017 08:40 AM, Robert Moskowitz wrote:
On 04/14/2017 10:41 PM, Alice Wonder wrote:
https://www.openca.org/ might fit my needs.
their Centos repo does not exist, it seems?
On 04/14/2017 06:29 PM, Alice Wonder wrote:
Hello list,
I'm contemplating running my own CA to implement the new proposed ISP for validation of S/MIME certificates via DANE.
I already use self-signed for my MX servers (with 3 1 1 dane records on TCP port 25) but I don't want to use self-signed for S/MIME for user specific x.509 certs because
A) That's potentially a lot of DNS records B) That requires a hash of the e-mail addresses in DNS
Instead, I will be using a wildcard in DNS with an intermediary that signs the user x.509 certificates.
Using an intermediary to sign their certificates though means I can't just revoke their certificates by removing the DNS certificate, I'll need to provide an OCSP server for when one of their private keys gets compromised.
I found https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1...
but it looks like that is intended for enterprise, more complex than I need.
Anyone know of a good simple script for providing OCSP ??
-=-
Not relevant to question but just important for me to note, I will *not* be asking people to install my root certificate in their e-mail clients. I think it is a bad practice to get users in the habit of installing root certificates.
I think the PKI system has way way way to many root certificates as it is. I want a world where DANE validates most certificates, and only a few root certificates are needed for things like banks where EV certificates are a must.
DANE as a way to validate S/MIME I think will be a godsend to e-mail security, I hope clients implement it. _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Alice,
Have you found an OCSP responder?
I am writing an Internet Draft for using openssl to set up a simple ECDSA pki:
https://datatracker.ietf.org/doc/draft-moskowitz-ecdsa-pki/
It is PAST time that the default for certs is RSA, and rather move on to ECDSA. EdDSA is almost ready to ship! (Dan Bernstein's ECC rather than NIST/NSA, plus they ARE better curves)
Version 01 is in the works that adds CRL (done) and OCSP (almost done). I should have this version posted by middle of next week.
Right now I use self-signed certs for all my servers, but I plan on creating my own small PKI and running my own OCSP responder. I also would like to find something 'simple'.
ECDSA will have better response for DANE. EdDSA will be even better! But it will take the NEXT version of openssl to provide support.
Bob
On 04/16/2017 12:43 PM, Robert Moskowitz wrote:
What about the pki package that comes with Centos?
pki-server and pki-ca?
On 04/16/2017 11:54 AM, Alice Wonder wrote:
Oh I don't know, their github works.
However it seems that it isn't able to deal with more than one ocsp signing key.
On 04/16/2017 08:40 AM, Robert Moskowitz wrote:
On 04/14/2017 10:41 PM, Alice Wonder wrote:
https://www.openca.org/ might fit my needs.
their Centos repo does not exist, it seems?
On 04/14/2017 06:29 PM, Alice Wonder wrote:
Hello list,
I'm contemplating running my own CA to implement the new proposed ISP for validation of S/MIME certificates via DANE.
I already use self-signed for my MX servers (with 3 1 1 dane records on TCP port 25) but I don't want to use self-signed for S/MIME for user specific x.509 certs because
A) That's potentially a lot of DNS records B) That requires a hash of the e-mail addresses in DNS
Instead, I will be using a wildcard in DNS with an intermediary that signs the user x.509 certificates.
Using an intermediary to sign their certificates though means I can't just revoke their certificates by removing the DNS certificate, I'll need to provide an OCSP server for when one of their private keys gets compromised.
I found https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1...
but it looks like that is intended for enterprise, more complex than I need.
Anyone know of a good simple script for providing OCSP ??
-=-
Not relevant to question but just important for me to note, I will *not* be asking people to install my root certificate in their e-mail clients. I think it is a bad practice to get users in the habit of installing root certificates.
I think the PKI system has way way way to many root certificates as it is. I want a world where DANE validates most certificates, and only a few root certificates are needed for things like banks where EV certificates are a must.
DANE as a way to validate S/MIME I think will be a godsend to e-mail security, I hope clients implement it. _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos