Re: Can't Upgrade! Can't Add Threading! Please Help!

2006-08-04 Thread Jan Pechanec
On Fri, 4 Aug 2006, Marek Marcola wrote: >> server167# openssl version >> OpenSSL 0.9.7d 17 Mar 2004 >> server167# pwd >> /usr/ports/www/openssl-0.9.8b >> So... >> >> How do I turn off the old version and turn on the new which should >> support threading so I can use Pound?? > >But I thing: >

Re: Can't Upgrade! Can't Add Threading! Please Help!

2006-08-04 Thread Marek Marcola
Hello, > I have FreeBSD 5.3. I d/l'd the latest distro of openssl, ran: > ../config --prefix=/usr/local --openssldir=/usr/local/openssl > enable-threads enable-shared > make > make test > make install > and everything checked out just fine. However... > > server167# openssl version > OpenSSL 0.9.

Can't Upgrade! Can't Add Threading! Please Help!

2006-08-04 Thread beno
Hi; I have FreeBSD 5.3. I d/l'd the latest distro of openssl, ran: ./config --prefix=/usr/local --openssldir=/usr/local/openssl enable-threads enable-shared make make test make install and everything checked out just fine. However... server167# openssl version OpenSSL 0.9.7d 17 Mar 2004 server1

RE: extending a PKCS12 certificate

2006-08-04 Thread Mouse
It doesn't makes much sense to add attributes to certs if values of those attributes can't be verified. Attribute Certificate seems the right way to go (thanks, Vijay!). The question is - do our "mainstream" CA's (such as VeriSign, etc.) support Attribute Certificate? Tnx! > -Original Mess

RE: extending a PKCS12 certificate

2006-08-04 Thread Sascha Kiefer
Hi Gerd, It will. But as Dmitrij already pointed out that there are Attribute Certificates. Those attributes are not part of the signed data, so they can be change (but also by anybody). But inside a PKCS there are at least safe and for internal use, it might work. (But you do not want to send lo

Re: extending a PKCS12 certificate

2006-08-04 Thread Vijay K. Gurbani
Theodore Olen wrote: Hello, I'll look into Attribute Certificate, as I've never heard of this term before. Thanks! See http://www.ietf.org/rfc/rfc3281.txt - vijay -- Vijay K. Gurbani [EMAIL PROTECTED],research.bell-labs.com,acm.org} Bell Laboratories, Lucent Technologies, Inc. 2701 Lucent L

RE: extending a PKCS12 certificate

2006-08-04 Thread Richard Salz
> ensures me that the data is safely stored, as the certificate, and therefore > also my additional data, can only be opened when the password is known. If this is all you want to do, a cryptographic beginner such as yourself will probably find it easier to use something like the GNU Privacy Gu

RE: extending a PKCS12 certificate

2006-08-04 Thread Theodore Olen
Hello, I'll look into Attribute Certificate, as I've never heard of this term before. Thanks! Kind regards, Theodore From: "Dmitrij Mironov" <[EMAIL PROTECTED]> Reply-To: openssl-users@openssl.org To: Subject: RE: extending a PKCS12 certificate Date: Fri, 4 Aug 2006 15:11:28 +0300 It seem

Re: extending a PKCS12 certificate

2006-08-04 Thread Richard Salz
PKCS12 is a data format. It's usually password-protected, and is designed to bundle together a private key with one or more certificates. Openssl includes tools (programs and API's) to parse and generate PKCS12. Once you've extracted the cert, you can parse it, and add an extension. To sign t

RE: extending a PKCS12 certificate

2006-08-04 Thread Theodore Olen
Hello, Thanks for your reply. Can you please give a little more explanation on how this can be done? To be sure, I don't want to change the private key and public certificate; simply said, I want to add arbitrary data to my .p12-file. Why do I want this? This ensures me that the data is safel

Re: Cross Signing

2006-08-04 Thread Richard Salz
You'd also need to identify that second CA. Verifying that internal (second) signature would be tricky since you'd have to remove the extension (tweak the DER length fields, etc) before hashing. And then there's all the complexity of checking for revocation from the second CA. (Which, frankly

RE: extending a PKCS12 certificate

2006-08-04 Thread Gerd . Wetzel
Hello Sascha, wouldn't this invalidate the digest and therefor the entire certificate? If changing the arbitrary data does not invalidate the certificate, it must not be part of the digest, but then everybody would be able to change it. And just adding the arbitrary data to the PKCS12 file woul

Cross Signing

2006-08-04 Thread Andrew White
This may be the wrong place to ask this since it is not OpenSSl specific, but would cross signing of a x.509 cert to verify it's contents be a good measure to increase the trustworthiness of a cert. Take the following example... We have a CA which hands out certs with authorization type attribut

RE: extending a PKCS12 certificate

2006-08-04 Thread Dmitrij Mironov
It seems like you are talking about Attribute Certificate, but openssl doesn't support them. Unfortunately. :o( > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Theodore Olen > Sent: Friday, August 04, 2006 2:31 PM > To: openssl-users@openssl.org

RE: extending a PKCS12 certificate

2006-08-04 Thread Sascha Kiefer
As far as i know, PKCS12 is just a combination of your private key and the public certificate. So, it should be possible to extract the certificate, make the changes and pack it together with the private key again. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On B

extending a PKCS12 certificate

2006-08-04 Thread Theodore Olen
Hello all, I would like to ask a question about PKCS12 certificates. Is it possible to extend a PKCS12 certificate with arbitral data? I would like to extend a given certificate with user data (such as login and password) in such a way that the output certificate is still a valid certificate.