plementary, and a
developer shifts between these modes of thought often while working.
I agree that a Migration Guide will, after a brief discussion of the
high-level differences between old and new, consist mostly of "if you
did task T that way before, now you should do it something like t
est:
> https://github.com/openssl/openssl/issues/14570
>
> Unfortunately it was not implemented in time for beta1 so this is now
> Post 3.0 item.
>
> I would recommend explicitly setting security level 0 via a cipher
> string when executing the test.
I second the motion
nds on another question: do
you regularly review the package manager's default cipher list, and
have reason to trust it?
--
Mark H. Wood
Lead Technology Analyst
University Library
Indiana University - Purdue University Indianapolis
755 W. Michigan Street
Indianapolis, IN 46202
317-274-0749
; And unless some or all of the browsers also apply these requirements to
> private CAs, you’re not forced to follow them all.
How does one mechanically distinguish public vs. private CAs?
--
Mark H. Wood
Lead Technology Analyst
University Library
Indiana University - Purdue University Ind
a file
named CHANGES contains *all* of the changes, while a file named
RELEASE_NOTES includes selected changes of particular significance.
It's confusing to call a release-notes file CHANGES.
Appending a note that, for a full change log, [DO THIS], would probably
be well received.
--
Mark
Mark H. Wood
Lead Technology Analyst
University Library
Indiana University - Purdue University Indianapolis
755 W. Michigan Street
Indianapolis, IN 46202
317-274-0749
www.ulib.iupui.edu
signature.asc
Description: Digital signature
___
openssl-users ma
\applause all around!
--
Mark H. Wood, Lead System Programmer mw...@iupui.edu
Machines should not be friendly. Machines should be obedient.
signature.asc
Description: Digital signature
tention to the CAs you trust, and evict any that seem to
have declined to a degree that worries you.
5. Goto 3.
--
Mark H. Wood, Lead System Programmer mw...@iupui.edu
Machines should not be friendly. Machines should be obedient.
signature.asc
Description: Digital signature
Or 'mount -o umask=077' I think.
--
Mark H. Wood, Lead System Programmer mw...@iupui.edu
Machines should not be friendly. Machines should be obedient.
signature.asc
Description: Digital signature
lingness to work with the writer to ensure
that the coverage and clarity of the writing is substantially
improved.
--
Mark H. Wood, Lead System Programmer mw...@iupui.edu
Asking whether markets are efficient is like asking whether people are smart.
pgpNJNzqoTBIj.pgp
Description: PGP signature
the hostname
> you connected to. If the next time you connect the certificate has
> changed, a system supporting certificate pinning will warn you.
I believe this is what the Certificate Patrol plugin for Firefox is
doing, if you want to see it in action.
--
Mark H. Wood, Lead System Programm
rivate CA
> support and we should have a friendly script or cookbook for this available
> somewhere. Fixing this will relieve you guys of answering all these
> inquiries via email.
TinyCA has, so far, sufficed for my modest needs.
http://tinyca.sm-zone.net/
--
Mark H. Wood, Lead Syst
iles in
/etc. There's no way to keep me out.
Better to say: if users canNOT manipulate the root certificate store,
then it would be impossible to trust anything. The whole point is
*my* trust. (And yours.)
--
Mark H. Wood, Lead System Programmer mw...@iupui.edu
Asking whether markets ar
It
> > should be self explanatory from here. The only other question that
> > remains is which Root CA. That can only be done by reading the
> > certificate hierarchy that is presented by the bank's server, which it
> > should provide you upon making an s_client co
Ah. I did not understand that "referenced by browser vendors" meant
we were talking about inclusion in their canned trust stores. Thanks,
both of you.
--
Mark H. Wood, Lead System Programmer mw...@iupui.edu
Asking whether markets are efficient is like asking whether people
haps
you could develop and share a patch that provides locking?
--
Mark H. Wood, Lead System Programmer mw...@iupui.edu
Asking whether markets are efficient is like asking whether people are smart.
pgp0W7wcocR7D.pgp
Description: PGP signature
w do they test the randomness of a single
sample? "1" is every bit as random (or nonrandom) as
"0xdcb4a459f014617692d112f0942c89cb".
--
Mark H. Wood, Lead System Programmer mw...@iupui.edu
Asking whether markets are efficient is like asking whether people are smart.
e not to use such a tool, you may learn some useful
things by studying the code.
--
Mark H. Wood, Lead System Programmer mw...@iupui.edu
Balance your desire for bells and whistles with the reality that only a
little more than 2 percent of world population has broadband.
-- Ledford and
no matter
how many disclaimers they slather onto the EULA. We should all check
and tune our browsers' trust lists. (No, I haven't.)
--
Mark H. Wood, Lead System Programmer mw...@iupui.edu
Balance your desire for bells and whistles with the reality that only a
little more tha
certificate, that might help.
--
Mark H. Wood, Lead System Programmer mw...@iupui.edu
Balance your desire for bells and whistles with the reality that only a
little more than 2 percent of world population has broadband.
-- Ledford and Tyler, _Google Analytics 2.0_
pgpWMvJc1KSb0.pgp
don't have to make practical
sense, so long as they make educational sense.
Anyway, when did anyone pass a law that says requirements have to
be sensible? :-)
--
Mark H. Wood, Lead System Programmer mw...@iupui.edu
Friends don't let friends publish revisable-form
ough information from the source to write properly. The designer
knows things the rest of us do not, and it is precisely that knowledge
which gives documentation much of its value.
--
Mark H. Wood, Lead System Programmer mw...@iupui.edu
Friends don't let friends publish revisable-form documents.
pgpwKJpF5MXBS.pgp
Description: PGP signature
orrect if it does
not model the problem that the code is intended to solve.
--
Mark H. Wood, Lead System Programmer mw...@iupui.edu
Friends don't let friends publish revisable-form documents.
pgpKR3QEobidk.pgp
Description: PGP signature
seen any patches come in).
> (i.e.: Intel is doing strategic positioning that AMD is not.)
That's smart of Intel. But again, if AMD have released spec.s under
liberal terms then maybe they think they *are* positioning their
product, and nobody has picked up on it yet.
--
Mark H. W
That's a Layer 1/2 issue. Perhaps you mean RFC 3514?
--
Mark H. Wood, Lead System Programmer mw...@iupui.edu
Friends don't let friends publish revisable-form documents.
pgpD1Wm4j9Cwx.pgp
Description: PGP signature
On Tue, Feb 24, 2009 at 03:17:52PM -0800, John Oliver wrote:
> On Tue, Feb 24, 2009 at 03:48:21PM -0500, Mark H. Wood wrote:
> > On Tue, Feb 24, 2009 at 08:02:30AM -0800, John Oliver wrote:
> >
> > > 10. Right click on the displayed keypair and Rename it to 'key&#
On Tue, Feb 24, 2009 at 03:11:29PM -0800, John Oliver wrote:
> On Tue, Feb 24, 2009 at 03:48:21PM -0500, Mark H. Wood wrote:
> > I don't think Sun keytool will do thist step. You can export
> > certificates but not private keys -- at least, I've never found a way
>
-provided keys, but keytool doesn't let you at that method.
If you could use -genseckey to let keytool generate the key, you could
start with a .jks and there'd be no problem.
> I am told that renaming the keypair is important, as our application
> cares. Same with using the pass
e error allowance, 50 mile 100% kill zone, plus room to hide.)
>
> A more likely possibility -
> All of the crypto-locks on the physical facilities will not work,
> nor any of the access cards - nobody will be able to get in.
> Meaning the world will be effectively, totally disarmed.
self-signed cert.s would pass the
audit, but your CA doesn't have to work that way.
The question then is whether the ability to issue EV cert.s yourself
is worth the effort and expense of doing it properly.
--
Mark H. Wood, Lead System Programmer [EMAIL PROTECTED]
Typically when a softw
e ((nread = BIO_gets(in, buf, sizeof(buf))) && err > 0)
{
err = BIO_write(out, buf, nread);
}
}
A network echo service would use sockets instead of stdin, stdout
(unless it's meant to be run by something like inetd).
--
Mark H. Wood, Lead System Programmer [EMAIL PROTECTED]
Typically when a software vendor says that a product is "intuitive" he
means the exact opposite.
pgpqBeVFub079.pgp
Description: PGP signature
ad and make one for next
year.
--
Mark H. Wood, Lead System Programmer [EMAIL PROTECTED]
Typically when a software vendor says that a product is "intuitive" he
means the exact opposite.
pgpwLwFBU4rOO.pgp
Description: PGP signature
o *that* question had better be "NO". It truly doesn't
matter whether you made a new certificate or updated the old one,
because in either case you must distribute it again in a trustworthy
manner or nobody will trust it.
--
Mark H. Wood, Lead System Programmer [EMAIL PROTECTED]
Ty
ible for an attacker to spoof both the CA and the
> end entity certificates, and that would be a VERY BAD THING :)
Well, that's what DNSSEC is for. Not to mention mutual authentication
between the directory and client.
I don't see why this CANNOT be secured. I agree that it tak
I went to www.microsoft.com and searched for "IIS install
certificate". The first hit led me to:
http://msdn2.microsoft.com/en-us/library/ms751408.aspx
with step-by-step instructions. (Ignore the leading part about
'makecert', of course -- you already have a certificate
Is there a built-in command in the openssl utility which can verify
that a private key and a certificate represent a valid keypair? Or is
there some simple way to determine this using other built-in commands?
--
Mark H. Wood, Lead System Programmer [EMAIL PROTECTED]
Typically when a software
ock which indicates "you have explicitly told
me to trust this object".
--
Mark H. Wood, Lead System Programmer [EMAIL PROTECTED]
Typically when a software vendor says that a product is "intuitive" he
means the exact opposite.
pgpz4zisIJ0da.pgp
Description: PGP signature
bably better to just punt this decision to the builder.
--
Mark H. Wood, Lead System Programmer [EMAIL PROTECTED]
Typically when a software vendor says that a product is "intuitive" he
means the exact opposite.
pgp1Xi1tjl9jC.pgp
Description: PGP signature
ot a script or an alias, then we (or at least I) don't know
what it is and cannot advise without more information about it.
I just tried the command:
openssl req -subj "/C=US/ST=NY/L=New York" -new > ny.req
on OpenSSL 0.9.8 under the shell Bash 3.00.0(1)-release and it works j
making appropriate substitutions from the form
data? Or if your form processor isn't a convenient place to do this, you
could fork a command that pipes the template through e.g. sed.
- --
Mark H. Wood, Lead System Programmer [EMAIL PROTECTED]
Typically when a software vendor says that a
ted. So we see a field described as a serial
number and ask why it isn't behaving properly. It's too bad the standard
calls this attribute a "serial number" rather than, say, "certificate
unique identifier", but the term is fixed now.
- --
Mark H. Wood, Lead Syst
ect bullets with his unprotected flesh, a native of Krypton, etc.
It's necessary to think about what "his name is Superman" means, and
whether that meaning is of any use in determining the kind of identity you
want to prove. The same is true of X.509 or OpenPGP certificates, or
reall
the exchange, see that
OurRoot is itself a subordinate cert., and continue chaining back to
IdenTrust;
o check *both*, note a discrepancy, yell "bloody murder!" and ask the
user for a decision.
If I've misunderstood the problem, what would you recommend I read?
- --
Mar
web stuff, and
probably many more yet to be discovered.
--
Mark H. Wood, Lead System Programmer [EMAIL PROTECTED]
MS Windows *is* user-friendly, but only for certain values of "user".
__
OpenSSL Project
xtensions.txt" and
"PKCS12-library.txt" or something like that?
--
Mark H. Wood, Lead System Programmer [EMAIL PROTECTED]
MS Windows *is* user-friendly, but only for certain values of "user".
__
OpenSSL P
m the person whom you met in Chicago
on date D" or "I am the person X named in Y's will".
--
Mark H. Wood, Lead System Programmer [EMAIL PROTECTED]
MS Windows *is* user-friendly, but only for certain values of "user".
_
S vendor's documentation.
Anything which is statically linked with code from the library archives
will need to be rebuilt before it can use the updated libraries.
--
Mark H. Wood, Lead System Programmer [EMAIL PROTECTED]
MS Windows *is* user-friend
et has one other thing going for it: it's all wrapped up in a
pretty package so that you can just push a few buttons and have a private
CA ready for use. OTOH OpenSSL lets you see what it is doing, and it's
flexible enough to do a lot more than just issue magic numbers.
--
Mark H.
that I
ought to come away with a deeper understanding of what I'm doing, if I
work out the abstract requirements and then translate to OpenSSL
specifics.
I do think I'll have a look at _Network Security with OpenSSL_ when it
comes out, though.
--
Mark H. Wood, Lead System Program
On Tue, 14 May 2002, Franck Martin wrote:
[snip]
> Who can't see that this message is digitaly signed and do you know why?
I can see that it is signed, but pine doesn't know what to do with an
"Application/X-PKCS7-SIGNATURE" bodypart.
--
Mark H. Wood,
ou! I hadn't thought of that, and it sounds like fun too.
--
Mark H. Wood, Lead System Programmer [EMAIL PROTECTED]
MS Windows *is* user-friendly, but only for certain values of "user".
___
27;s going to be to get *both* compatibly installed on one box.)
IIRC the Ethereal folk have also run up against this problem.
I'm not asking for anything at this time; I just wanted to provide a
couple of data points.
--
Mark H. Wood, Lead System Programmer [EMAIL PROTECTED]
MS Window
quot;. I hear that Intel is suing some
nonprofit for daring to call themselves "Yoga Inside", on the (ludicrous
IMHO) grounds that that name harms their trademark.
--
Mark H. Wood, Lead System Programmer [EMAIL PROTECTED]
MS Windows *is* us
ail 3.2.0.112 on my own system, passes through procmail
3.14 to be sorted into various mailboxes, and is read using pine 4.33.
Here some posts are multiplied up to five times, and some are not. That
suggests a gateway which is common to some, but not all, posters.
--
Mark H. Wood, Lead System Progra
terial out there for people who want to
buy something off the shelf, slam it in, do five minutes of cookbook
setup, and forget it ever happened. It's much harder to find books which
promote actual *understanding*.
--
Mark H. Wood, Lead System Programmer [EMAIL PROTECTED]
Our lives are f
n the dump tool, to me. An eight-bit
signed value of -2 would be 254 if interpreted as unsigned.
I can recommend Olivier Dubuisson's book on ASN.1, but my copy is at home
now so I can't refer to it.
--
Mark H. Wood, Lead System Programmer [EMA
On Wed, 22 Aug 2001, Caliban Tiresias Darklock wrote:
> Just out of curiosity, why are attachments allowed on the list in the
> first place? Is there any legitimate reason for it?
Well, why not? Is there any legitimate reason *not* to?
--
Mark H. Wood, Lead System Programmer
ng VT5xx last I heard.
Anybody know whatever happened to the "Dragon" graphics chip?
--
Mark H. Wood, Lead System Programmer [EMAIL PROTECTED]
Make a good day.
__
OpenSSL Project http
roken. However it is perfectly reasonable for a list reflector to *add*
this header, and I appreciate the service.
Besides, I'm getting a nice list of virus-scanner companies that don't
know how to write proper autoresponders. :-/
--
Mark H. Wood, Le
If you don't insist on the token being a *card*, the iButton looks
interesting. I've not used it -- has anyone?
--
Mark H. Wood, Lead System Programmer [EMAIL PROTECTED]
Make a good day.
__
OpenS
the use of their
algorithm.
But if you want to be *sure*, ask a lawyer.
--
Mark H. Wood, Lead System Programmer [EMAIL PROTECTED]
Make a good day.
__
OpenSSL Project http://w
nada any given
technology for secure communication.
--
Mark H. Wood, Lead System Programmer [EMAIL PROTECTED]
Make a good day.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List
g ssh properly.
Further discussion of ssh ought to move to [EMAIL PROTECTED] or
comp.security.ssh .
--
Mark H. Wood, Lead System Programmer [EMAIL PROTECTED]
2000-05-05 13:27:15 GMT -- still no icebergs in the White River
.h be informed that IDEA is to be ignored?
--
Mark H. Wood, Lead System Programmer [EMAIL PROTECTED]
2000-05-05 13:27:15 GMT -- still no icebergs in the White River
__
OpenSSL Project
gt; much.
Now I am surprised. The key only means that you have a reasonably secure
channel to an unknown endpoint. Do lots of people really believe that it
means any more than that? That is frightening.
--
Mark H. Wood, Lead System Programmer [EMAIL PROTECTED]
"Where's the kaboom?
hat it issues?
What basis would we have for trusting A's certification that a certificate
asserting that it belogs to B was in fact issued to B, other than to trust
that A has diligently investigated the requestor's claims and met our
standards for establishing that that person is in fact B?
--
Mar
te this year when it expires, so
in the U.S. you have to use their code and obey their license until then.
--
Mark H. Wood, Lead System Programmer [EMAIL PROTECTED]
Definitely NOT a lawyer.
__
OpenSSL Project
what I was doing, and in all cases they said OK.
Can you get it in writing? It is difficult to get telephone conversations
into court. Each party contrives to remember them differently.
--
Mark H. Wood, Lead System Programmer [EMAIL PROTECTED]
Please, no more software products offering a &quo
body. I'll look through the stuff that 1.1 is
known to break and see if I can safely upgrade. (Then I'll have to tweak
ssh....)
--
Mark H. Wood, Lead System Programmer [EMAIL PROTECTED]
Please, no more software products offering a "richer experience"! I have
indigestion o
69 matches
Mail list logo
