Michael S. Zick wrote:
On Fri December 26 2008, Edward Diener wrote:
By 'dongle' do you mean a hardware 'dongle'. If it is a software dongle
you need to spell out for me what you mean.
There are a lot of devices being marketed for this purpose, but as
an example that it needs to be neither c
On 12/26/08 8:12 PM, "Victor Duchovni"
wrote:
> Note, some CAs ignore SAN entires in the CSR and either don't support
> SAN certs at all, or require a separate SAN form to be filled in when
> uploading the CSR.
i can confirm that go daddy respects the san in their 5-domain cert product.
__
Hi Edward:
Ok - I'm going to reply, but I'm also going to top post, since doing a
point by point discussion isn't going to help.
The concept of Private/Public key cryptography (of which X.509
Certificates are one invocation), is that a single private key belongs
to a single security principle. Th
On Fri, Dec 26, 2008 at 07:25:00PM -0500, Tom Worster wrote:
> On 12/26/08 4:45 AM, "Kyle Hamilton" wrote:
>
> > To deal with this, you need to either put the two domains on separate
> > ports (which causes URLs of the form https://www.example2.com:4433/ ),
> > or create a certificate with the s
Kyle Hamilton wrote:
First: I have suggested such, in the message where I stated that many
hotels don't allow connections on port 3306 (which is MySQL's standard
data port). Create a proxy that sits on a webserver, using XML-RPC to
accept requests from the client. Perform whatever logic checki
On 12/26/08 4:45 AM, "Kyle Hamilton" wrote:
> To deal with this, you need to either put the two domains on separate
> ports (which causes URLs of the form https://www.example2.com:4433/ ),
> or create a certificate with the subjectAlternativeName extension.
> The sAN is a list of values of the fo
On Thu, Dec 25, 2008 at 07:27:22PM -0800, vampist wrote:
>
> Simple command:
> req -key sitename.com.key -x509 -out sitename.com.cst
Without the "-new" option, the "req" command expects to read a CSR on
standard input or from the file specified with "-in".
--
Viktor.
__
Simple command:
req -key sitename.com.key -x509 -out sitename.com.cst
I enter the correct passphrase then nothing. I have thought "Self: Maybe
it's just taking a while so I will let it sit." (sat for 2 days
{Seriously})..
Nothing happens. Nothing created.. No confirm. Nada.
Ooooh what do I d
First: I have suggested such, in the message where I stated that many
hotels don't allow connections on port 3306 (which is MySQL's standard
data port). Create a proxy that sits on a webserver, using XML-RPC to
accept requests from the client. Perform whatever logic checking you
need there, and
On Fri December 26 2008, Edward Diener wrote:
>
> By 'dongle' do you mean a hardware 'dongle'. If it is a software dongle
> you need to spell out for me what you mean.
>
There are a lot of devices being marketed for this purpose, but as
an example that it needs to be neither complicated program
i would recommend making 2 domains with the same extension and then
use a wildcard certificate.
for a quick test you can use the DOS batch script i made at my latest
blog post ( http://codingathome.blogspot.com ) and make a cert with
the CNAME of *.example.com . then you can run 2 virtual apac
On Fri, Dec 26, 2008 at 01:28:27PM -0500, Edward Diener wrote:
> If I can get a little finicky, the application needs access to the
> database/server. Nobody else should be accessing it. But I am sure that
> is what you meant.
You trust your application, but not its users. This always because,
Ger Hobbelt wrote:
Mr. Diener,
What the folks here are saying is that your current scenario is a
catch22: unless at least one part of the requirements (as perceived by
your client) is changed, there is no way out.
Put in other words used in the discussion so far: this fact turns any
answer into
On Fri December 26 2008, Edward Diener wrote:
>
> From what others have written, I feel that I am right and coming up
> with elaborate schemes of hiding the client certs from the end-user
> until thay are actually going to be used by client application code in
> making the connection is largely
Edward Diener wrote:
> Well I asked whether protection for the client side certs were needed,
> and how this might be done, and I was told I was barking up the wrong
> tree, so to speak. I felt this way from the very beginning but my
> employer wanted to get other opinions.
You are either unclear
Mr. Diener,
What the folks here are saying is that your current scenario is a
catch22: unless at least one part of the requirements (as perceived by
your client) is changed, there is no way out.
Put in other words used in the discussion so far: this fact turns any
answer into a "security theater".
Michael S. Zick wrote:
On Fri December 26 2008, Edward Diener wrote:
Kyle Hamilton wrote:
If your company hires a security consultant, s/he will state the same thing.
Thanks for your help but right now I am the programmer and "security
consultant", and therefore I must come up with security an
On Fri December 26 2008, Edward Diener wrote:
> Kyle Hamilton wrote:
> >
> > If your company hires a security consultant, s/he will state the same thing.
>
> Thanks for your help but right now I am the programmer and "security
> consultant", and therefore I must come up with security answers.
>
Edward Diener
> > Your scheme requires you to put the credentials where an
> > attacker can get them in unencrypted form. All an attacker need
> > do is terminate your process as soon as it attempts a network
> > connection (or intercept its filesystem calls and snapshot every
> > file before
Edward Diener wrote:
> Please suggest ways to do so. The server is no different from any other
> server database. It accepts a username/password to prevent unauthorized
> users from accessing its data. I am perfectly willing to listen to other
> server techniques which involve security, or rea
David Schwartz wrote:
Kyle Hamilton wrote:
If your company hires a security consultant, s/he will state the
same thing.
-Kyle H
The fundamental problem is this:
You have one door. Every customer must walk through it. However, you don't want
a customer to run amuck once he gets through the
Kyle Hamilton wrote:
Mr Diener:
This is, incidentally, why I call it "security theater" -- you're not
gaining anything from the actions that you're going through, except
"warm and fuzzies" of the people you're entertaining with it (in this
case, your boss).
You need to fix your server architect
Kyle Hamilton wrote:
> If your company hires a security consultant, s/he will state the
> same thing.
>
> -Kyle H
The fundamental problem is this:
You have one door. Every customer must walk through it. However, you don't want
a customer to run amuck once he gets through the door. Your solut
Mr Diener:
This is, incidentally, why I call it "security theater" -- you're not
gaining anything from the actions that you're going through, except
"warm and fuzzies" of the people you're entertaining with it (in this
case, your boss).
You need to fix your server architecture, which is likely go
Unless you're dealing with a new version of Apache which can handle
Server Name Indication (a relatively recent TLS extension), you cannot
have multiple certificates on the same IP:port combination. (It's a
"chicken and egg" problem: the HTTP Host: header is what contains the
data about what hostn
25 matches
Mail list logo
