Le 25/09/2012 18:45, Jakob Bohm a écrit :
On 9/25/2012 6:12 PM, Erwann Abalea wrote:
Le 25/09/2012 14:16, Jakob Bohm a écrit :
> On 9/25/2012 11:11 AM, Erwann Abalea wrote:
[...]
Any signature algorithm works by dividing the universe of N bit strings
into those that are validsignatures for the
On 9/25/2012 6:12 PM, Erwann Abalea wrote:
Bonjour,
Le 25/09/2012 14:16, Jakob Bohm a écrit :
> On 9/25/2012 11:11 AM, Erwann Abalea wrote:
>> Le 24/09/2012 21:03, Jakob Bohm a écrit :
>> > Does that work with any other serious X.509 validation toolkit?
>>
>> It should.
And in fact, OpenSSL wor
Bonjour,
Le 25/09/2012 14:16, Jakob Bohm a écrit :
On 9/25/2012 11:11 AM, Erwann Abalea wrote:
Le 24/09/2012 21:03, Jakob Bohm a écrit :
> Does that work with any other serious X.509 validation toolkit?
It should.
And in fact, OpenSSL works correctly, at least versions 1.0.1 (Ubuntu),
and 1
On 9/25/2012 11:11 AM, Erwann Abalea wrote:
Bonjour,
Le 24/09/2012 21:03, Jakob Bohm a écrit :
> Does that work with any other serious X.509 validation toolkit?
It should.
When trying to build a valid certification path, all possibilities have
to be tested until one of them succeeds. If a CA gi
-openssl-us...@openssl.org] *On Behalf Of *Charles Mills
*Sent:* Thursday, September 13, 2012 9:42 AM
*To:* openssl-users@openssl.org
*Subject:* RE: certificate validation issues with openssl 1.0.0 and
expired certificates in cafile
Would it make sense to delete the expired certificate from the Windows
Bonjour,
Le 24/09/2012 21:03, Jakob Bohm a écrit :
Does that work with any other serious X.509 validation toolkit?
It should.
When trying to build a valid certification path, all possibilities have
to be tested until one of them succeeds. If a CA gives a good signature,
but fails for whateve
Thanks Jacob, but in the three scenarios you mentioned, the first one *does
not* seem to be supported by openssl 1.0.0*. I think that was the subject
of this email thread in the beginning.
>>1. Changing expiry or other attributes while keeping the key.
Here the CA issues a new self-signed certific
Does that work with any other serious X.509 validation toolkit?
To make this work (assuming the old root CA cert has not yet expired),
the validation code will need to actually verify the End Entity
certificate against both public keys, which effectively reduces the
algorithm security by allowi
Only the private and public keys are different.. Rest of the fields are
same.. Basically I am simulating the trust anchor update related scenarios..
And yes Jacob, thanks for indicating, I'll make sure I don't use such
abbreviations from here on..
Ashok
On Sep 24, 2012 11:25 PM, "Jakob Bohm" wrot
Hi,
In your test case which fields actually differ between the
old root CA certificate and the new root CA certificate?
P.S.
Please do not use those 3 letter abbreviations of certificate
field names, very few people know those abbreviations.
For the benefit of other readers:
I think Ashok was
Hi,
One more observation was made here in another test case.
*Configuration:*
One old root CA certificate oldca.pem with subject name say, C=IN
One new root CA certificate newca.pem with same subject name.
One EE certificate, ee.pem issued by new root CA.
*Test case 1:*
Using CAFile option in ope
On 9/13/2012 3:41 PM, Charles Mills wrote:
Would it make sense to delete the expired certificate from the Windows
store? Duplicate expired/non expired CA certificates sounds to me like a
problem waiting to happen.
/Charles/
Windows has built in support for using and checking time stamping
c
-us...@openssl.org [mailto:
>> owner-openssl-us...@openssl.org] *On Behalf Of *Charles Mills
>> *Sent:* Thursday, September 13, 2012 9:42 AM
>> *To:* openssl-users@openssl.org
>> *Subject:* RE: certificate validation issues with openssl 1.0.0 and
>> expired certificates i
**
>
> *From:* owner-openssl-us...@openssl.org [mailto:
> owner-openssl-us...@openssl.org] *On Behalf Of *Charles Mills
> *Sent:* Thursday, September 13, 2012 9:42 AM
> *To:* openssl-users@openssl.org
> *Subject:* RE: certificate validation issues with openssl 1.0.0 and
> expired
lto:owner-openssl-us...@openssl.org]
On Behalf Of Charles Mills
Sent: Thursday, September 13, 2012 9:42 AM
To: openssl-users@openssl.org
Subject: RE: certificate validation issues with openssl 1.0.0 and expired
certificates in cafile
Would it make sense to delete the expired certificate from the Windo
, September 13, 2012 12:49 AM
To: openssl-users@openssl.org
Subject: Re: certificate validation issues with openssl 1.0.0 and expired
certificates in cafile
Sending again as the previous email did not appear in list.
Is there some problem with the mailing list?
--
Ashok
On Wed, Sep 12, 2012 at
Sending again as the previous email did not appear in list.
Is there some problem with the mailing list?
--
Ashok
On Wed, Sep 12, 2012 at 2:59 PM, Ashok C wrote:
> Hi,
>
> I don't think this question was answered. Could you please reply?
>
> --
> Ashok
>
>
> On Tue, Jul 31, 2012 at 11:13 PM, Kl
Hi,
I don't think this question was answered. Could you please reply?
--
Ashok
On Tue, Jul 31, 2012 at 11:13 PM, Klaus Darilion <
klaus.mailingli...@pernau.at> wrote:
> Hi!
>
> I wrote a small program which dumps all root certificates from Windows
> certificate store into a file. Then I use ope
18 matches
Mail list logo
