On 31-07-2013 22:11, Salz, Rich wrote:
Wouldn't it be just as good to have a cRLDistributionPoint which does not restrict the
available ReasonFlags and then put "cACompromise" in the CRL if/when that
disaster happens?
No because with my idea you are a priori restrict the crlDP to be only CA
r
> Wouldn't it be just as good to have a cRLDistributionPoint which does not
> restrict the available ReasonFlags and then put "cACompromise" in the CRL
> if/when that disaster happens?
No because with my idea you are a priori restrict the crlDP to be only CA
revocation.
> Wouldn't it be equall
On 31-07-2013 19:56, Salz, Rich wrote:
This is not possible according to PKIX. RFC5280 states "The trust anchor for the
certification path [of the crl] MUST be the same as the trust anchor used to validate the
target certificate."
The root certificate creates a crl-signing cert. The root certi
> This is not possible according to PKIX. RFC5280 states "The trust anchor for
> the certification path [of the crl] MUST be the same as the trust anchor used
> to validate the target certificate."
The root certificate creates a crl-signing cert. The root certificate includes
a cRLDistributionP
> -Original Message-
> From: Walter H.
>> Eisenacher, Patrick wrote:
> >> -Original Message-
> >> From: Jakob Bohm
>>
> > As I said before, there's no pki-inherent mechanism to revoke a self signed
>> certificate other than to remove it from your truststore.
>
> not really; a CA tha
On 31.07.2013 16:47, Jakob Bohm wrote:
the only cert that can't be checked by OCSP is the root cert itself;
This is where I disagree, can you point me to an actual reason why
not, which is not refuted by my logical ABC argument above.
the Authority Information Access extension does not make an
On 31-07-2013 16:01, Walter H. wrote:
Eisenacher, Patrick wrote:
-Original Message-
From: Jakob Bohm
On 31-07-2013 11:02, Eisenacher, Patrick wrote:
-Original Message-
From: Jakob Bohm
On 30-07-2013 20:53, Walter H. wrote:
On 30.07.2013 19:51, Eisenacher, Patrick wrote:
Jako
Eisenacher, Patrick wrote:
-Original Message-
From: Jakob Bohm
On 31-07-2013 11:02, Eisenacher, Patrick wrote:
-Original Message-
From: Jakob Bohm
On 30-07-2013 20:53, Walter H. wrote:
On 30.07.2013 19:51, Eisenacher, Patrick wrote:
Jakob, I don't und
> -Original Message-
> From: Jakob Bohm
>
> On 31-07-2013 11:02, Eisenacher, Patrick wrote:
> >> -Original Message-
> >> From: Jakob Bohm
> >>
> >> On 30-07-2013 20:53, Walter H. wrote:
> >>> On 30.07.2013 19:51, Eisenacher, Patrick wrote:
> > Jakob, I don't understand your reasoni
On 31-07-2013 11:02, Eisenacher, Patrick wrote:
-Original Message-
From: Jakob Bohm
On 30-07-2013 20:53, Walter H. wrote:
On 30.07.2013 19:51, Eisenacher, Patrick wrote:
In Boolean logic, we have the following possibilities:
- Root is trusted, so the revocation is valid, so the root i
> -Original Message-
> From: Jakob Bohm
>
> On 30-07-2013 20:53, Walter H. wrote:
> > On 30.07.2013 19:51, Eisenacher, Patrick wrote:
>
> In Boolean logic, we have the following possibilities:
>
> - Root is trusted, so the revocation is valid, so the root is not
> trusted. This is a c
On 30-07-2013 20:53, Walter H. wrote:
On 30.07.2013 19:51, Eisenacher, Patrick wrote:
I was wondering how the root cert gets revoked. Anyway thanks for
posting
that request.
A self-signed certificate can't be revoked via a crl, because you
won't be able to successfully verify its signature.
ke
On 30.07.2013 19:51, Eisenacher, Patrick wrote:
I was wondering how the root cert gets revoked. Anyway thanks for posting
that request.
A self-signed certificate can't be revoked via a crl, because you won't be able
to successfully verify its signature.
keep in mind, that in case you detect a p
> -Original Message-
> From: redpath
>
> I agree with this
>
> "Once again, I would like to advocate that the openssl verification code
> should allow a self-signed certificate to revoke itself, using the same
> mechanisms as for revoking anything else. "
>
> I was wondering how the ro
sting
that request.
--
View this message in context:
http://openssl.6102.n7.nabble.com/OCSP-and-self-signed-tp45918p45996.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
__
OpenS
On 23-07-2013 23:56, Steven Madwin wrote:
The short answers is no. An OCSP response has to be signed by the issuer (or
a delegate of the issuer) and a self-signed cert is issued by itself. As a
general rule certs can't revoke themselves so there is no need to get a
revocation response for a self-
ssage-
From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of redpath
Sent: Tuesday, July 23, 2013 10:27 AM
To: openssl-users@openssl.org
Subject: OCSP and self signed
I was wondering about self signed certs. If I run the test OCSP it needs to
know the CA cer
I was wondering about self signed certs. If I run the test OCSP it needs to
know the
CA cert but there is no CA cert. So can a OCSP responder work for self
signed certs.
--
View this message in context:
http://openssl.6102.n7.nabble.com/OCSP-and-self-signed-tp45918.html
Sent from the OpenSSL
Hi,
any idea about I can trust self signed certificate, avoiding use of no chain
verify flag?
thanks,
M.M.
_
Connect to the next generation of MSN Messenger
http://imagine-msn.com/messenger/launch80/default.aspx?locale=en-us&sourc
> > Can you include the certificates involved in your problem report?>
Thanks for reply & attention, below the CA
-BEGIN
CERTIFICATE-MIIDwTCCAqmgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBgTELMAkGA1UEBhMCSVQxFzAVBgNVBAoTDkFjdGFsaXMgUy5wLkEuMSIwIAYDVQQLExlTZXJ2aXppIGRpIGNlcnRpZmljYXppb25lMTUwMwYDV
On September 11, 2008 09:24:46 am matteo mattau wrote:
> Dears,I'm in trouble with self signed certificate, when I try to verify via
> ocsp a certificate whose issuer is self signed.The error I receive is
> always openssl ocsp -issuer /usr/local/ssl/cert/issuerPEM.crt -cert
> ./certificatePEM.cer -
Dears,I'm in trouble with self signed certificate, when I try to verify via
ocsp a certificate whose issuer is self signed.The error I receive is always
openssl ocsp -issuer /usr/local/ssl/cert/issuerPEM.crt -cert
./certificatePEM.cer -url http://ocsp.foo.com -CApath
/usr/local/ssl/certRespons
22 matches
Mail list logo
