language updates
root
20 years ago
parent
276614766e
commit
8a7b9e455a
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,457 @@
|
||||
<pre> CERTIFICATE RETRIEVAL
|
||||
|
||||
|
||||
STATUS OF THIS MEMO
|
||||
|
||||
This document is an Internet-Draft and is subject to all provisions of
|
||||
Section 10 of RFC2026..
|
||||
|
||||
INTRODUCTION
|
||||
|
||||
The CERTIFICATE RETRIEVAL Service is a TCP transaction based query/response
|
||||
server, running on port xxxxx, that provides directory service for internet
|
||||
users to automate the task of retrieving certificates based on email
|
||||
addresses or hostnames.
|
||||
|
||||
This service, together with a corresponding database of X.509 certificates
|
||||
can be used to automate security in conjunction with the 802.1x protocol
|
||||
for authentication and encryption, webmail services, and email in general
|
||||
that employ s/mime to encrypt replies to authors could request a certificate
|
||||
via the service rather then requiring the user to supply it up front, so as
|
||||
long as you know the email address and they have signed up for a certificate
|
||||
the message can be encrypted.
|
||||
|
||||
This method of distributing client certificates isn't intended for extremely
|
||||
sensitive material, but merely to protect day to day emails that are currently
|
||||
being sent as clear text. The security risk in this method isn't more likely
|
||||
to succeed then signing an email and distributing the certificate in that
|
||||
manner.
|
||||
|
||||
PROTOCOL
|
||||
|
||||
To access the CERTIFICATE RETRIEVAL service:
|
||||
|
||||
Connect to the service host on TCP service port xxxxx
|
||||
(decimal).
|
||||
|
||||
Send a single "command line", ending with <CRLF> (ASCII CR and
|
||||
LF).
|
||||
|
||||
Receive information in response to the command line. The server
|
||||
closes its connection as soon as the output is finished.
|
||||
|
||||
Extention to Service:
|
||||
|
||||
This service could be extended to relay services that worked inline
|
||||
with Certificate Authorities to cache responses and verify the
|
||||
certificates were still valid using OCSP services. Using the relay
|
||||
method it would be easier to include additional Certificate
|
||||
Authorities, instead of issuing client software updates every time a
|
||||
new Certificate Authority commenced operations, or alternatively
|
||||
ceased to operate.
|
||||
|
||||
Due to political concerns more then technical issues relay services
|
||||
should be run by impartial parties that don't have a vested interest
|
||||
in competing with other Certificate Authorities so no user would be
|
||||
disadvantaged.
|
||||
|
||||
SECURITY ISSUES
|
||||
|
||||
Spam:
|
||||
|
||||
Obviously this would open a potential method for spammers to validate
|
||||
their spam lists, and sending encrypted spam which may bypass current
|
||||
spam filters. This system to an extent mimics the PGP Key Exchange
|
||||
service, unlike the PGP Key Exchange there will be no effort to allow
|
||||
searching apart from exact email or hostnames. At time of writting
|
||||
there are no documented attempts to exploit the PGP Key Exchange for
|
||||
the purposes of spam. Certificate Authorities should offer a way for
|
||||
their users to opt out of this method of distributing public
|
||||
certificates.
|
||||
|
||||
Transfer:
|
||||
|
||||
Due to the nature of X.509 it would be highly improbable that the
|
||||
certificates could be compromised if they passed via a compromised
|
||||
relay, or as the information is passed via any communications medium.
|
||||
After the certificate is received issuer, CRL and OCSP checks should
|
||||
be performed by client software as per normal with any certificate
|
||||
received by other methods.
|
||||
|
||||
SIMILAR SERVICES
|
||||
|
||||
LDAP:
|
||||
|
||||
LDAP can already be used in a method similar to described in this
|
||||
document, however a simpler approach to security through an extremely
|
||||
simple, efficient method of distributing without the need for bulky libs
|
||||
and wrappers would help adoption and help increase security in general.
|
||||
|
||||
PGP Key Exchange:
|
||||
|
||||
Has much more extended capabilities although the concept is basically
|
||||
the same, an easy method of distributing public keys.
|
||||
|
||||
OCSP/CRL:
|
||||
|
||||
Much simpler services only responding to requests about validity of
|
||||
a certificate presented to them, will not respond with a copy of the
|
||||
certificate.
|
||||
|
||||
COMMAND LINES AND REPLIES
|
||||
|
||||
A command line is normally a single name specification. Note that
|
||||
the specification formats will evolve with time; the best way to
|
||||
obtain the most recent documentation on name specifications is to
|
||||
give the server a command line consisting of "?<CRLF>" (that is, a
|
||||
question-mark alone as the name specification). The response from
|
||||
the server will list all possible formats that can be used.
|
||||
The responses are currently intended to be machine-readable; the
|
||||
information is not meant to be passed back directly to a human user. The
|
||||
following three examples illustrate the use of the service as of February
|
||||
2004.
|
||||
|
||||
---------------------------------------------------------------------
|
||||
|
||||
Command line: ?
|
||||
Response:
|
||||
|
||||
Please enter an email address or hostname, such as "www.cacert.org".
|
||||
|
||||
---------------------------------------------------------------------
|
||||
|
||||
Command line: myisp.com
|
||||
Response:
|
||||
No valid certificate available.
|
||||
|
||||
---------------------------------------------------------------------
|
||||
|
||||
Command line: www.cacert.org
|
||||
Response:
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIFiTCCA3GgAwIBAgICAjYwDQYJKoZIhvcNAQEEBQAweTEQMA4GA1UEChMHUm9v
|
||||
dCBDQTEeMBwGA1UECxMVaHR0cDovL3d3dy5jYWNlcnQub3JnMSIwIAYDVQQDExlD
|
||||
QSBDZXJ0IFNpZ25pbmcgQXV0aG9yaXR5MSEwHwYJKoZIhvcNAQkBFhJzdXBwb3J0
|
||||
QGNhY2VydC5vcmcwHhcNMDMwNDAyMDAzNzU2WhcNMDUwNDAxMDAzNzU2WjCBmjEL
|
||||
MAkGA1UEBhMCQVUxDDAKBgNVBAgTA05TVzEPMA0GA1UEBxMGU3lkbmV5MRAwDgYD
|
||||
VQQKEwdDQSBDZXJ0MR4wHAYDVQQLExVTZXJ2ZXIgQWRtaW5pc3RyYXRpb24xFzAV
|
||||
BgNVBAMTDnd3dy5jYWNlcnQub3JnMSEwHwYJKoZIhvcNAQkBFhJzdXBwb3J0QGNh
|
||||
Y2VydC5vcmcwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMWKlVe5/cfDZiPq
|
||||
WZTUGvgLA4dbvj/cBJXZgkz6aIvKuBhZ+cXob/xc6tkL20NdXZIW6WIzaGk6SU0a
|
||||
vu6grLlHumwuXrFGPNRb8HyRQrvWzgD73Est+CDfLo+Omq55UjDDH0TZoAMV3L0N
|
||||
Gb/S7YZeYHNcUzAHcXTE1//LyS8bAgMBAAGjggF7MIIBdzAMBgNVHRMBAf8EAjAA
|
||||
MCoGA1UdJQQjMCEGCCsGAQUFBwMBBglghkgBhvhCBAEGCisGAQQBgjcKAwMwCwYD
|
||||
VR0PBAQDAgUgMB0GA1UdDgQWBBTN0mx8ONpAgO9SaMf5KcKmDjFgDjCBowYDVR0j
|
||||
BIGbMIGYgBQWtTIb1Mfz4OaO873SsDrusjkY0aF9pHsweTEQMA4GA1UEChMHUm9v
|
||||
dCBDQTEeMBwGA1UECxMVaHR0cDovL3d3dy5jYWNlcnQub3JnMSIwIAYDVQQDExlD
|
||||
QSBDZXJ0IFNpZ25pbmcgQXV0aG9yaXR5MSEwHwYJKoZIhvcNAQkBFhJzdXBwb3J0
|
||||
QGNhY2VydC5vcmeCAQAwEQYJYIZIAYb4QgEBBAQDAgZAMFYGCWCGSAGG+EIBDQRJ
|
||||
FkdUbyBnZXQgeW91ciBvd24gY2VydGlmaWNhdGUgZm9yIEZSRUUgaGVhZCBvdmVy
|
||||
IHRvIGh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzANBgkqhkiG9w0BAQQFAAOCAgEAc7vb
|
||||
l/zrCweRmHo8dQw7fpvX4KibbpZ5fXT9c1tn+oIUxV1erDI3r5YW6Cha8XIDhMxJ
|
||||
tKPXdyAkrzEt3SrQrFy/KndMCjS1ypic2g/IhUjnB7FnH7Jc3RF+w3GX6OO38XtQ
|
||||
ydcQk2qD125W7Kl6cgSXjauVz2AyjetHi0jA+SRcmnlIRafKLEDPsnc/1A6CFd4C
|
||||
e8J+mrSA4FPOwf1ezAEJAlsBNiM2oIcfbWjrUR/dfaBrGweBQS/mgXxSXJWJnFQI
|
||||
wNE47X3ibISAgT74p/zqdVoYBQEXe0LDNsmFU6eqc8OyLEKW3BIgfQxtGxKCLCsA
|
||||
G/TjfjxGRhi1FlX9ZPvuWGfV0ks0gMa/VDM7V37LMhVViyTHNTmKuHsOa7UAz/5x
|
||||
qJo/ruLuCfGF9Z8jfj0197J0LMQSr09YQ/JSDJE6IFE59/6ju7+Py+2NDRsiqo+/
|
||||
qi/4SGbXakOXqJv92NHLqD/jdq8D8RIPggQ2RGG7aNQ5bpmnZk6KEJH9jD50LAs1
|
||||
kU+KI/v8o94ZBz+MDhNgJpwT5R/Vvnri2iT9mIysfpCuZCZC6KJKN8rXT031ocmx
|
||||
CJyaTBopnpnHwGu238IAMSpq9nPibhCb0OlqMVHdid9qPr8iZDWVhgmgDasigS5Y
|
||||
lzsrd9lRVDVN5HITUCFG3Qr5xx7ltSouj/dkykg=
|
||||
-----END CERTIFICATE-----
|
||||
|
||||
---------------------------------------------------------------------
|
||||
|
||||
EXAMPLE CODE
|
||||
|
||||
---------------------------------------------------------------------
|
||||
|
||||
/*
|
||||
Copyright Jeremey Barrett 2004 for CAcert.org
|
||||
You may create derivative works, as long as this copyright notice remains at the top
|
||||
*/
|
||||
|
||||
/*
|
||||
Example finger daemon that can return certificates from a database.
|
||||
Currently only tested on debian stable.
|
||||
use the following command to build program
|
||||
gcc -o cacert-finger cacert-finger.c -I/usr/include/mysql -L/usr/lib \
|
||||
-lmysqlclient -lz -DUSE_MYSQL
|
||||
*/
|
||||
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <unistd.h>
|
||||
#include <string.h>
|
||||
#include <fcntl.h>
|
||||
#include <errno.h>
|
||||
#include <sys/types.h>
|
||||
#include <sys/socket.h>
|
||||
#include <sys/select.h>
|
||||
#include <netinet/in.h>
|
||||
|
||||
#ifdef USE_MYSQL
|
||||
#include <mysql.h>
|
||||
#endif
|
||||
|
||||
#ifdef USE_MYSQL
|
||||
static MYSQL mysql_db;
|
||||
#endif
|
||||
|
||||
#define DEFAULT_PORT 79
|
||||
|
||||
#define EMAIL_QUERY "select CRT from certs where `EMAIL`='%s' and \
|
||||
`revoked`='0000-00-00 00:00:00'"
|
||||
#define DOMAIN_QUERY "select CRT from domaincerts where \
|
||||
`revoked`='0000-00-00 00:00:00' and `CN`='%s'"
|
||||
#define WILD_DOMAIN_QUERY "select CRT from domaincerts where \
|
||||
`revoked`='0000-00-00 00:00:00' and (`CN`='%s' OR `CN`='%s')"
|
||||
|
||||
void err_exit(void)
|
||||
{
|
||||
perror("");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
|
||||
#ifdef USE_MYSQL
|
||||
void do_mysql(int client_fd, char *query)
|
||||
{
|
||||
MYSQL_RES *res;
|
||||
MYSQL_ROW row;
|
||||
char *cert;
|
||||
|
||||
if(!(mysql_real_connect(&mysql_db, "host", "username", "password",
|
||||
"database", 0, "/var/run/mysqld/mysqld.sock", 0) != NULL))
|
||||
{
|
||||
printf(mysql_error(&mysql_db));
|
||||
exit(1);
|
||||
}
|
||||
|
||||
if(mysql_real_query(&mysql_db, query, strlen(query)))
|
||||
goto _err_return;
|
||||
|
||||
res = mysql_store_result(&mysql_db);
|
||||
if(mysql_num_rows(res) > 0)
|
||||
{
|
||||
row = mysql_fetch_row(res);
|
||||
|
||||
if(!row[0])
|
||||
goto _free_res_return;
|
||||
|
||||
cert = strstr(row[0], "-----BEGIN CERTIFICATE");
|
||||
if(cert) {
|
||||
char *response;
|
||||
int response_len = strlen(cert)+2;
|
||||
|
||||
response = (char *)calloc(1, response_len+1);
|
||||
if(!response)
|
||||
goto _free_res_return;
|
||||
memcpy(response, cert, response_len-2);
|
||||
response[response_len-2] = '\r';
|
||||
response[response_len-1] = '\n';
|
||||
|
||||
/* should be checked for errors, more writing */
|
||||
write(client_fd, response, response_len);
|
||||
|
||||
free(response);
|
||||
} }
|
||||
|
||||
_free_res_return:
|
||||
mysql_free_result(res);
|
||||
|
||||
_err_return:
|
||||
mysql_close(&mysql_db);
|
||||
}
|
||||
#endif
|
||||
|
||||
|
||||
int read_line(int fd, char *buf, int size)
|
||||
{
|
||||
int n = 0;
|
||||
int t = 0;
|
||||
char *p;
|
||||
char *q;
|
||||
|
||||
for(; t < size; ) {
|
||||
n = read(fd, buf+t, size-t);
|
||||
if(n < 0) {
|
||||
switch(errno) {
|
||||
case EINTR:
|
||||
continue;
|
||||
|
||||
default:
|
||||
return -1;
|
||||
}
|
||||
}
|
||||
|
||||
if(n == 0) {
|
||||
return t;
|
||||
}
|
||||
|
||||
if(t)
|
||||
p = buf+t-1;
|
||||
else
|
||||
p = buf;
|
||||
|
||||
for(; *p && *p != '\n' && *p != '\r'; p++);
|
||||
|
||||
if(*p) {
|
||||
*p = 0;
|
||||
t = p-buf;
|
||||
return t;
|
||||
}
|
||||
|
||||
t += n;
|
||||
}
|
||||
|
||||
return -1;
|
||||
}
|
||||
|
||||
|
||||
int handle_request(int fd)
|
||||
{
|
||||
char *buf;
|
||||
int buf_size;
|
||||
int len;
|
||||
int i;
|
||||
int email_query = 0;
|
||||
char query[4096]; /* ugly */
|
||||
char *email = NULL;
|
||||
char *domain = NULL;
|
||||
char *wildcard = NULL;
|
||||
|
||||
buf_size = 2048;
|
||||
|
||||
buf = (char *)calloc(1, buf_size);
|
||||
if(!buf)
|
||||
return -1;
|
||||
|
||||
if((len = read_line(fd, buf, buf_size-1)) <= 0)
|
||||
goto _free_return;
|
||||
|
||||
memset(buf+len, 0, buf_size-len);
|
||||
|
||||
if(strchr(buf, '@')) {
|
||||
email_query = 1;
|
||||
email = buf;
|
||||
}
|
||||
else {
|
||||
char *p;
|
||||
char *q;
|
||||
|
||||
p = strchr(buf, '.');
|
||||
if(p) {
|
||||
q = strchr(p+1, '.');
|
||||
if(q) {
|
||||
wildcard = (char *)calloc(1, strlen(p)+2);
|
||||
if(wildcard) {
|
||||
*wildcard = '*';
|
||||
memcpy(wildcard+1, p, strlen(p));
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
domain = buf;
|
||||
}
|
||||
|
||||
memset(query, 0, sizeof(query));
|
||||
|
||||
if(email_query) {
|
||||
snprintf(query, sizeof(query)-2, EMAIL_QUERY, email);
|
||||
}
|
||||
else {
|
||||
if(wildcard && strcmp(wildcard, domain))
|
||||
snprintf(query, sizeof(query)-2, WILD_DOMAIN_QUERY, domain, wildcard);
|
||||
else
|
||||
snprintf(query, sizeof(query)-2, DOMAIN_QUERY, domain);
|
||||
|
||||
if(wildcard)
|
||||
free(wildcard);
|
||||
}
|
||||
|
||||
|
||||
/* go and do MySQL stuff here */
|
||||
|
||||
#ifdef USE_MYSQL
|
||||
do_mysql(fd, query);
|
||||
#else
|
||||
strcat(query, "\n");
|
||||
write(fd, query, strlen(query));
|
||||
#endif
|
||||
|
||||
|
||||
_free_return:
|
||||
free(buf);
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
int main(int argc, char **argv)
|
||||
{
|
||||
struct sockaddr_in server_sock;
|
||||
struct sockaddr_in client_sock;
|
||||
int client_addr_size;
|
||||
int server_fd = -1;
|
||||
int client_fd = -1;
|
||||
int pid;
|
||||
|
||||
/* take command line args, e.g. -p <port>, later */
|
||||
|
||||
if ((pid=fork()) < 0)
|
||||
{
|
||||
perror ("Fork failed");
|
||||
exit(errno);
|
||||
|
||||
|
||||
}
|
||||
|
||||
if (pid)
|
||||
{
|
||||
exit(0);
|
||||
}
|
||||
|
||||
server_fd = socket(PF_INET, SOCK_STREAM, 0);
|
||||
if(server_fd < 0)
|
||||
err_exit();
|
||||
|
||||
memset(&server_sock, 0, sizeof(server_sock));
|
||||
|
||||
server_sock.sin_family = AF_INET;
|
||||
server_sock.sin_addr.s_addr = INADDR_ANY;
|
||||
server_sock.sin_port = htons(DEFAULT_PORT);
|
||||
|
||||
if(bind(server_fd, (struct sockaddr *)&server_sock,
|
||||
sizeof(struct sockaddr_in)) < 0)
|
||||
err_exit();
|
||||
|
||||
if(listen(server_fd, 64) < 0)
|
||||
err_exit();
|
||||
|
||||
setgid(65534);
|
||||
setuid(65534);
|
||||
|
||||
for(;;) {
|
||||
memset(&client_sock, 0, sizeof(client_sock));
|
||||
client_addr_size = sizeof(client_sock);
|
||||
|
||||
client_fd = accept(server_fd,
|
||||
(struct sockaddr *)&client_sock, &client_addr_size);
|
||||
if(client_fd < 0)
|
||||
err_exit();
|
||||
|
||||
if(handle_request(client_fd) < 0)
|
||||
break;
|
||||
|
||||
close(client_fd);
|
||||
client_fd = -1;
|
||||
}
|
||||
|
||||
if(client_fd >= 0)
|
||||
close(client_fd);
|
||||
|
||||
close(server_fd);
|
||||
|
||||
exit(0);
|
||||
}</pre>
|
||||
@ -0,0 +1,62 @@
|
||||
<ul>
|
||||
<li><a href="#whatFor"><?=_("What is it for?")?></a></li>
|
||||
<li><a href="#whyEmails"><?=_("Why digitally sign your own emails?! (weirdo..)")?></a></li>
|
||||
<li><a href="#freedom"><?=_("How it prepares us to protect our freedom")?></a></li>
|
||||
<li><a href="#whyAdopt"><?=_("Why isn't it being adopted by everyone?")?></a></li>
|
||||
<li><a href="#whyAccept"><?=_("Why is the digital signature described as 'not valid/not trusted'?")?></a></li>
|
||||
<li><a href="#proof"><?=_("But, er, is this really proof of your email identity?")?></a></li>
|
||||
<li><a href="#gimme"><?=_("How do I create my own digital signature?!")?></a><br></li>
|
||||
<li><a href="#encrypt"><?=_("I can't wait to start sending encrypted emails!")?></a></li>
|
||||
<li><a href="#notes"><?=_("Notes for the strangely curious")?></a></li>
|
||||
<li><a href="#refs"><?=_("References")?></a></li>
|
||||
</ul>
|
||||
<br>
|
||||
<h3><a name="whatFor"></a><?=_("What is it for?")?></h3>
|
||||
<p><?=_("The purpose of digital signing is to prove, electronically, one's identity")?>. <?=_("You see this all the time on the Internet - every time you go to a secure page on a web site, for example to enter personal details, or to make a purchase, every day you browse web sites that have been digitally signed by a Certificate Authority that is accepted as having the authority to sign it. This is all invisible to the user, except that you may be aware that you are entering a secure zone (e.g. SSL and HTTPS).")?></p>
|
||||
<p><?=_("Your browser includes special digital (root) certificates from a number of these 'Certificate Authorities' by default, and all web sites use certificates that are validated by one of these companies, which you as a user implicitly trust every time you go to the secure part of a web site. (You might ask, who validates the security of the Certificate Authorities, and why should you trust them?!")?>.... <a href="#notes"><?=_("Good question")?></a>.)</p>
|
||||
<p><?=_("Digital signing thus provides security on the Internet.")?></p>
|
||||
|
||||
<h3><a name="whyEmails"></a><?=_("Why digitally sign your own emails?! (weirdo..)")?></h3>
|
||||
<p><?=_("Emails are not secure. In fact emails are VERY not secure!")?></p>
|
||||
<p><?=_("To get from computer Internet User A to Internet User B an email may pass through tens of anonymous computers on the Internet. These 'Internet infrastructure' computers are all free to inspect and change the contents of your email as they see fit. Governments systematically browse the contents of all emails going in/out/within their country, e.g. the")?> <a href="http://www.cnn.com/2000/TECH/computing/07/28/uk.surveillance.idg/"><?=_("UK Government has done this since the year 2000")?></a>. (<a href="#freedom"><?=_("How it prepares us to protect our freedom")?></a>). <?=_("Ever requested a password that you lost to be emailed to you? That password was wide open to inspection by potential crackers.")?></p>
|
||||
<p><?=_("As anyone who has received an email containing a virus from a strange address knows, emails can be easily spoofed. The identity of the sender is very easy to forge via email. Thus a great advantage is that digital signing provides a means of ensuring that an email is really from the person you think it is. If everyone digitally signed their emails, it would be much easier to know whether an email is legitimate and unchanged and to the great relief of many, spamming would be much easier to control, and viruses that forge the sender's address would be obvious and therefore easier to control.")?></p>
|
||||
|
||||
<h3><a name="freedom"></a><?=_("How it prepares us to protect our freedom")?></h3>
|
||||
<p><?=_("But perhaps, fundamentally, the most important reason for digital signing is awareness and privacy. It creates awareness of the (lack of) security of the Internet, and the tools that we can arm ourselves with to ensure our personal security. And in sensitising people to digital signatures, we become aware of the possibility of privacy and encryption.")?></p>
|
||||
<p><?=_("Most people would object if they found that all their postal letters are being opened, read and possibly recorded by the Government before being passed on to the intended recipient, resealed as if nothing had happened. And yet this is what happens every day with your emails (in the UK). There are some who have objected to this intrusion of privacy, but their voices are small and fall on deaf ears. However the most effective way to combat this intrusion is to seal the envelope shut in a miniature bank vault, i.e. encrypt your email. If all emails were encrypted, it would be very hard for Government, or other organisations/individual crackers, to monitor the general public. They would only realistically have enough resources to monitor those they had reason to suspect. Why? Because encryption can be broken, but it takes a lot of computing power and there wouldn't be enough to monitor the whole population of any given country.")?></p>
|
||||
<p><?=_("The reason digital signatures prepare us for encryption is that if everyone were setup to be able to generate their own digital signatures, it would be technically very easy to make the next step from digital signatures to encryption. And that would be great for privacy, the fight against spamming, and a safer Internet.")?></p>
|
||||
|
||||
<h3><a name="whyAdopt"></a><?=_("Why isn't it being adopted by everyone?")?></h3>
|
||||
<p><?=_("Of the biggest reasons why most people haven't started doing this, apart from being slightly technical, the reason is financial. You need your own certificate to digitally sign your emails. And the Certificate Authorities charge money to provide you with your own certificate. Need I say more. Dosh = no thanks I'd rather walk home. But organisations are emerging to provide the common fool in the street with a free alternative. However, given the obvious lack of funding and the emphasis on money to get enrolled, these organisations do not yet have the money to get themselves established as trusted Certificate Authorities. Thus it is currently down to trust. The decision of the individual to trust an unknown Certificate Authority. However once you have put your trust in a Certificate Authority you can implicitly trust the digital signatures generated using their certificates. In other words, if you trust (and accept the certificate of) the Certificate Authority that I use, you can automatically trust my digital signature. Trust me!")?></p>
|
||||
|
||||
<h3><a name="whyAccept"></a><?=_("Why is the digital signature described as 'not valid/not trusted'?")?></h3>
|
||||
<p><?=_("To fully understand, read the section directly above. I am using a free Certificate Authority to provide me with the ability to digitally sign my emails. As a result, this Certificate Authority is not (yet) recognised by your email software as it is a new organisation that is not yet fully established, although it is probably being included in the Mozilla browser. If you choose to, you can go the their site at CAcert.org to install the root certificate. You may be told that the certificate is untrusted - that is normal and I suggest that you continue installation regardless. Be aware that this implies your acceptance that you trust their secure distribution and storing of digital signatures, such as mine. (You already do this all the time). The CAcert.org root certificate will then automatically provide the safe validation of my digital signature, which I have entrusted to them. Or you can simply decide that you've wasted your time reading this and do nothing (humbug!). Shame on you! :-)")?></p>
|
||||
|
||||
<h3><a name="proof"></a><?=_("But, er, is this really proof of your email identity?")?></h3>
|
||||
<p><?=_("Security is a serious matter. For a digital certificate with full rights to be issued to an individual by a Certificate Authority, stringent tests must be conducted, including meeting the physical person to verify their identity. At the current moment in time, my physical identity has not been verified by CAcert.org, but they have verified my email address. Installing their root certificate (see above) will thus automatically allow you to validate my digital signature. You can then be confident of the authenticity of my email address - only I have the ability to digitally sign my emails using my CAcert.org certificate, so if you get an email that I digitally signed and which is validated by your email software using the cacert.org root certificate that you installed, you know it's from me. (Visually you get a simple indication that my email is signed and trusted). Technically, they haven't verified that I really am me! But you have the guarantee that emails from my address are sent by the person who physically administers that address, i.e. me! The only way that someone could forge my digital signature would be if they logged on to my home computer (using the password) and ran my email software (using the password) to send you a digitally signed email from my address. Although I have noticed the cats watching me logon...")?></p>
|
||||
|
||||
<h3><a name="gimme"></a><?=_("Cool man! How do I create my own digital signature?!")?></h3>
|
||||
<p><?=_("Easy. Ish. Go to CAcert.org, install their root certificate and then follow their joining instructions. Once you have joined, request a certificate from the menu. You will receive an email with a link to the certificate. Click on the link from your email software, and hopefully it will be seamlessly installed. Next find the security section of the settings in your email software and configure digital signatures using the certificate you just downloaded. Hmm. Call me if you want, I'll guide you through it.")?></p>
|
||||
|
||||
<h3><a name="encrypt"></a><?=_("I can't wait to start sending encrypted emails!")?></h3>
|
||||
<p><?=_("There's nothing to it. I mean literally, you can already start sending your emails encrypted. Assuming of course you have your own digital signature certificate (e.g. as per above), and the person you want to send an encrypted email to also has a digital signature certificate, and has recently sent you a digitally signed email with it. If all these conditions hold, you just have to change the settings in your email software to send the email encrypted and hey presto! Your email software (probably Outlook I guess) should suss out the rest.")?></p>
|
||||
|
||||
<h3><a name="notes"></a><?=_("Notes for the strangely curious")?></h3>
|
||||
<p><?=_("You are putting your trust in people you don't know!")?><br><?=_("One assumes that if a site has an SSL certificate (that's what enables secure communication, for exchanging personal details, credit card numbers, etc. and gives the 'lock' icon in the browser) that they have obtained that certificate from a reliable source (a Certificate Authority), which has the appropriate stringent credentials for issuing something so vital to the security of the Internet, and the security of your communications. You have probably never even asked yourself the question of who decided to trust these Certificate Authorities, because your browser comes with their (root) certificates pre-installed, so any web site that you come across that has an SSL certificate signed by one of them, is automatically accepted (by your browser) as trustworthy.")?></p>
|
||||
<p><?=_("Thus, having now asked the question, you suppose that it's the people who make the browser software that have carefully decided who is a trustworthy Certificate Authority. Funnily enough, the mainstream browsers have not, historically, had public policies on how they decide whether a Certificate Authority gets added to their browser. All of the Certificate Authorities that have found themselves in the browser software, are big names, probably with big profits (so they must be doing a good job!).")?></p>
|
||||
<p><?=_("That situation has changed, and Internet Explorer, being the most obvious example, now insists that any Certificate Authorities are 'audited' by an 'independent' organisation, the American Institute for Certified Public Accountant's (AICPA). So now, if you have the money needed (from US$75000 up to US$250000 and beyond) you can get these accountants, who clearly know a lot about money, to approve you as having the required technical infrastructure and business processes to be a Certificate Authority. And they get a nice wad of money for the pleasure. And the Certificate Authorities, having a kind of monopoly as a result, charge a lot for certificates and also get a nice wad of money. And everyone's happy.")?></p>
|
||||
<p><?=_("But, with all this money, and all this responsibility, they must be taking a lot of care to ensure the Certificate Authorities do their jobs well, and keep doing their jobs well, right? Well right?!")?></p>
|
||||
<p><?=_("And they are making mistakes")?></p>
|
||||
<p><?=_("So if you don't pass the audit, you don't get to be a Certificate Authority. And to pass the audit, well, you've got to show that you can do a good job issuing certificates. That they're secure, you only give them to the right people, etc. So what happens when you make a mistake and you erroneously issue a certificate that risks the entire Internet browsing population, like Verisign did? Well, er, nothing actually. They already paid for their audit, and damn it, they're so big now, we couldn't possibly revoke their Certificate Authority status. (There's too much money at stake!)")?></p>
|
||||
|
||||
<h3><?=_("So, dammit, what's the point of all this then?")?></h3>
|
||||
<p><?=_("The point is, as the current situation holds, you should be weary of anyone making decisions for you (i.e. pre-installed certificates in your browser), and you should be weary of anyone else's certificates that you install. But at the end of the day, it all boils down to trust. If an independent Certificate Authority seems to be reputable to you, and you can find evidence to support this claim, there's no reason why you shouldn't trust it any less than you implicitly trust the people who have already made mistakes.")?></p>
|
||||
<h3><a name="refs"></a><?=_("References")?></h3>
|
||||
<p><a href="http://www.counterpane.com/pki-risks.pdf"><?=_("Ten Risks of PKI: What You're not Being Told about Public Key Infrastructure")?></a> - http://www.counterpane.com/pki-risks.pdf</p>
|
||||
<p><a href="http://www.webtrust.org/certauth.htm"><?=_("WebTrust for Certification Authorities")?></a> - http://www.webtrust.org/certauth.htm</p>
|
||||
<p><a href="http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-017.asp"><?=_("Erroneous Verisign Issued Digital Certificates Pose Spoofing Hazard")?></a> - http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-017.asp</p>
|
||||
<p><a href="http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/news/rootcert.asp"><?=_("Microsoft Root Certificate Program")?></a> - http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/news/rootcert.asp</p>
|
||||
<p><a href="http://www.homeoffice.gov.uk/crimpol/crimreduc/regulation/index.html"><?=_("The Regulation of Investigational Powers Act (RIPA)</a> ('Snooping Bill' official gov site, UK)")?> - http://www.homeoffice.gov.uk/crimpol/crimreduc/regulation/index.html</p>
|
||||
<p><a href="http://www.cnn.com/2000/TECH/computing/07/28/uk.surveillance.idg/"><?=_("U.K. e-mail snooping bill passed")?></a> (UK) - http://www.cnn.com/2000/TECH/computing/07/28/uk.surveillance.idg/</p>
|
||||
<p><?=_("Disclaimer : These are the author's opinions, but they should not be considered 'truth' without personal verification. The author may have made mistakes and any mistakes will be willingly rectified by contacting the administrator of elucido.net, contact details available from the normal domain registration information services (e.g. whois.net). No recommendation to install a Certificate Authority's root certificate is either intended nor implied.")?></p>
|
||||
<p><? printf(_("The page has been reproduced on %s with explicit permission from %sthe author%s with the information being copyrighted to the author (name with held by request)"), "<a href='http://www.cacert.org'>CAcert.org</a>", "<a href='http://elucido.net/'>", "</a>")?></p>
|
||||
@ -0,0 +1,71 @@
|
||||
<h3><?=_("Generating a Key Pair and Certificate Signing Request (CSR) for a Microsoft Internet Information Server (IIS) 5.0.")?></h3>
|
||||
<p><?=_("To generate a public and private key pair and CSR for a Microsoft IIS 5 Server:")?></p>
|
||||
<ol class="tutorial">
|
||||
<li><b><?=_("Key generation process")?></b><br />
|
||||
<?=_("Under 'Administrative Tools', open the 'Internet Services Manager'. Then open up the properties window for the website you wish to request the certificate for. Right-clicking on the particular website will open up its properties.")?><br />
|
||||
<img src="iistutorial/image001.jpg" height="453" width="642" alt="<?=_("Screenshot of IIS 5.0")?>" /><br />
|
||||
<img src="iistutorial/image002.jpg" height="453" width="463" alt="<?=_("Screenshot of IIS 5.0")?>" /></li>
|
||||
<li><b><?=_("Open Directory Security folder")?></b><br />
|
||||
<?=_("In the 'Directory Security' folder click on the 'Server Certificate' button in the 'Secure communications' section. If you have not used this option before the 'Edit' button will not be active.")?><br />
|
||||
<img src="iistutorial/image003.gif" height="386" width="503" alt="<?=_("Screenshot of IIS 5.0")?>" /></li>
|
||||
<li><b><?=_("Select 'Create a new certificate'")?></b><br />
|
||||
<?=_("Now 'Create a new certificate'.")?><br />
|
||||
<img src="iistutorial/image004.gif" height="386" width="503" alt="<?=_("Screenshot of IIS 5.0")?>" /></li>
|
||||
<li><b><?=_("Prepare the request")?></b><br />
|
||||
<?=_("You'll prepare the request now, but you can only submit the request via the online request forms. We do not accept CSRs via email.")?><br />
|
||||
<img src="iistutorial/image005.gif" height="386" width="503" alt="<?=_("Screenshot of IIS 5.0")?>" /></li>
|
||||
<li><b><?=_("Enter a certificate name and select Certificate strength")?></b><br />
|
||||
<?=_("Select 'Bit length'. We advise a key length of 1024 bits.")?><br />
|
||||
<img src="iistutorial/image006.gif" height="386" width="503" alt="<?=_("Screenshot of IIS 5.0")?>" /><br />
|
||||
<br />
|
||||
<?=_("You have now created a public/private key pair. The private key is stored locally on your machine. The public portion is sent to CAcert in the form of a CSR.")?><br />
|
||||
<br />
|
||||
<?=_("You will now create a CSR. This information will be displayed on your certificate, and identifies the owner of the key to users. The CSR is only used to request the certificate. The following characters must be excluded from your CSR fields, or your certificate may not work:")?> <p style="color: red;">! @ # $ % ^ * ( ) ~ ? > < & / \</p>
|
||||
</li>
|
||||
<li><b><?=_("Enter your Organisation Information")?></b><br />
|
||||
<?=_("Enter the Organisation name: this must be the full legal name of the Organisation that is applying for the certificate.")?><br />
|
||||
<br />
|
||||
<?=_("The Organisational Unit field is the 'free' field. It is often the department or Server name for reference.")?><br />
|
||||
<img src="iistutorial/image007.gif" height="386" width="503" alt="<?=_("Screenshot of IIS 5.0")?>" /></li>
|
||||
<li><b><?=_("Enter your Common Name")?></b><br />
|
||||
<?=_("The Common Name is the fully qualified host and Domain Name or website address that you will be securing. Both 'www.cacert.org' and 'secure.cacert.com' are valid Common Names. IP addresses are usually not used.")?><br />
|
||||
<img src="iistutorial/image008.gif" height="386" width="503" alt="<?=_("Screenshot of IIS 5.0")?>" /></li>
|
||||
<li><b><?=_("Enter the geographical details")?></b><br />
|
||||
<?=_("Your country, state and city.")?><br />
|
||||
<img src="iistutorial/image009.gif" height="386" width="503" alt="<?=_("Screenshot of IIS 5.0")?>" /></li>
|
||||
<li><b><?=_("Choose a filename to save the request to")?></b><br />
|
||||
<?=_("Select an easy to locate folder. You'll have to open this file up with Notepad. The CSR must be copied and pasted into our online form. Once the CSR has been submitted, you won't need this CSR any more as IIS won't reuse old CSR to generate new certificates.")?><br />
|
||||
<img src="iistutorial/image010.gif" height="386" width="503" alt="<?=_("Screenshot of IIS 5.0")?>" /></li>
|
||||
<li><b><?=_("Confirm your request details")?></b></li>
|
||||
</ol>
|
||||
<p><?=_("Finish up and exit IIS Certificate Wizard")?></p>
|
||||
|
||||
<h3><?=_("Certificate Installation process for IIS 5.0")?></h3>
|
||||
<p><?=_("After your certificate has been emailed to you, follow this process to install the certificate.")?></p>
|
||||
<ol class="tutorial">
|
||||
<li><b><?=_("Saving the certificate")?></b><br />
|
||||
<?=_("Copy the contents of the email including the ")?>
|
||||
<code>-----BEGIN CERTIFICATE-----</code> <?=_("and")?>
|
||||
<code>-----END CERTIFICATE-----</code> <?=_("lines. Do not copy any extra line feeds or carriage returns at the beginning or end of the certificate. Save the certificate into a text editor like Notepad. Save the certificate with an extension of .cer and a meaningful name like certificate.cer")?><br /><br />
|
||||
<img src="iistutorial/image011b.png" alt="<?=_("Screenshot of IIS 5.0")?>" /></li>
|
||||
<li><b><?=_("Installation steps")?></b><br />
|
||||
<?=_("Return to the 'Internet Information Services' screen in 'Administrative Tools' under 'Control Panel'. Right click on 'Default Web Site' and select 'Properties'.")?><br />
|
||||
<img src="iistutorial/image001.jpg" height="453" width="642" alt="<?=_("Screenshot of IIS 5.0")?>" /></li>
|
||||
<li><b><?=_("Select the Directory Security tab")?></b><br />
|
||||
<?=_("Select 'Server Certificate' at the bottom of the tab in the 'Secure communications' section.")?><br />
|
||||
<img src="iistutorial/image002.jpg" height="453" width="463" alt="<?=_("Screenshot of IIS 5.0")?>" /><br /></li>
|
||||
<li><b><?=_("In the 'IIS Certificate Wizard' you should find a 'Pending Certificate Request'.")?></b><br />
|
||||
<?=_("Ensure 'Process the pending request and install the certificate' is selected and click on 'Next'.")?><br />
|
||||
<img src="iistutorial/image012.gif" height="388" width="506" alt="<?=_("Screenshot of IIS 5.0")?>" /></li>
|
||||
<li><b><?=_("Browse to the location you saved the .cer file to in step 1")?></b><br />
|
||||
<?=_("Select the .cer file and click 'Next'.")?><br />
|
||||
<img src="iistutorial/image013.gif" height="388" width="505" alt="<?=_("Screenshot of IIS 5.0")?>" /></li>
|
||||
<li><b><?=_("Ensure that you are processing the correct certificate")?></b><br />
|
||||
<?=_("...then click 'Next'.")?><br />
|
||||
<img src="iistutorial/image014.jpg" height="390" width="506" alt="<?=_("Screenshot of IIS 5.0")?>" /></li>
|
||||
<li><b><?=_("You will see a confirmation screen.")?></b><br />
|
||||
<?=_("When you have read this information, click 'Finish'.")?><br />
|
||||
<img src="iistutorial/image015.gif" height="390" width="507" alt="<?=_("Screenshot of IIS 5.0")?>" /></li>
|
||||
</ol>
|
||||
<p><b><?=_("And you're done!")?></b></p>
|
||||
<p><?=_("For more information, refer to your server documentation or visit")?> <a href="http://support.microsoft.com/support/"><?=_("Microsoft Support Online")?></a>.</p>
|
||||
@ -0,0 +1,28 @@
|
||||
<p><?=_("Firstly you will need to run the following command, preferably in secured directory no one else can access, however protecting your private keys is beyond the scope of this document.")?></p>
|
||||
<p># openssl req -nodes -new -keyout private.key -out server.csr</p>
|
||||
<p><?=_("Then the system will try to generate some very random numbers to get a secure key.")?></p>
|
||||
<p><?=_("Generating a 1024 bit RSA private key")?><br>
|
||||
...++++++<br>
|
||||
....++++++<br>
|
||||
<?=_("writing new private key to 'private.key'")?></p>
|
||||
<p><?=_("You will then be asked to enter information about your company into the certificate. Below is a valid example:")?></p>
|
||||
<p><?=_("Country Name (2 letter code) [AU]:")?>AU<br>
|
||||
<?=_("State or Province Name (full name) [NSW]:")?>NSW<br>
|
||||
<?=_("Locality Name (eg, city) [Sydney]:")?>Sydney<br>
|
||||
<?=_("Organization Name (eg, company) [XYZ Corp]:")?>CAcert Inc.<br>
|
||||
<?=_("Organizational Unit Name (eg, section) [Server Administration]:.")?><br>
|
||||
<?=_("Common Name (eg, YOUR name) []:")?>www.cacert.org<br>
|
||||
<?=_("Email Address")?> []:support@cacert.org</p>
|
||||
<p><?=_("Finally you will be asked information about 'extra' attribute, you simply hit enter to both these questions.")?></p>
|
||||
<p><?=_("Next step is that you submit the contents of server.csr to the CAcert website, it should look *EXACTLY* like the following example otherwise the server may reject your request because it appears to be invalid.")?></p>
|
||||
<p>-----BEGIN CERTIFICATE REQUEST-----<br>
|
||||
MIIBezCB5QIBADA8MRcwFQYDVQQDEw53d3cuY2FjZXJ0Lm9yZzEhMB8GCSqGSIb3<br>
|
||||
DQEJARYSc3VwcG9ydEBjYWNlcnQub3JnMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB<br>
|
||||
iQKBgQDQd1+ut4TJLWZf5A9r3D17Kob+CNwz/jfCOYrH0P6q1uw4jfSyrWUeSaVc<br>
|
||||
59Xjpov8gRctlAuWM9KavkLSF6vcNdDEbvUYnL/+ixdmVE9tlXuSFEGz0GAF5faf<br>
|
||||
QZe30wk+2hnC6P+rwclypOhkTXtWgvSHPZg9Cos8xqDyv589QwIDAQABoAAwDQYJ<br>
|
||||
KoZIhvcNAQEEBQADgYEAJruzBZr4inqaeidn1m2q47lXZUWjgsrp3k3bFJ/HCb3S<br>
|
||||
2SgVqHFrOisItrr7H0Dw2EcPhIrRokRdjIAwwlxG9v21eFaksZUiaP5Yrmf89Njk<br>
|
||||
HV+MZXxbC71NIKrnZsDhHibZslICh/XjdPP7zfKMlHuaaz1oVAmu9BlsS6ZXkVA=<br>
|
||||
-----END CERTIFICATE REQUEST----- </p>
|
||||
<p><?=_("Once you've submitted it the system will process your request and send an email back to you containing your server certificate.")?></p>
|
||||
@ -0,0 +1 @@
|
||||
<?=_("To be completed")?>
|
||||
@ -0,0 +1,11 @@
|
||||
<p><?=_("Firstly you need to join CAcert to do that go:")?> <a href='https://www.cacert.org/index.php?id=1'><?=("here")?></a></p>
|
||||
|
||||
<p><?=_("Then you need to generate a Certificate Signing Request, for more details go:")?> <a href=http://www.cacert.org/help.php><?=_("here")?></a></p>
|
||||
|
||||
<p><?=_("You then need to add the domain you have control of to your account, which you can do:")?> <a href='https://www.cacert.org/account.php?id=7'><?=_("here")?></a></p>
|
||||
|
||||
<p><?=_("System will send you an email with a link in it, you just open the link in a webbrowser.")?></p>
|
||||
|
||||
<p><?=_("Then you need to submit the contents from the CSR file to CAcert, you need to go:")?> <a href='https://www.cacert.org/account.php?id=10'><?=_("here")?></a></p>
|
||||
|
||||
<p><?=_("CAcert then sends you an email with a signed copy of your certificate. Hopefully the rest should be pretty straight forward.")?></p>
|
||||
@ -0,0 +1,9 @@
|
||||
<p><?=_("In light of a request on the bugzilla list for more information about how our root certificate is protected I've decided to do a write up here and see if there is anything more people suggest could be done, or a better way of handling things altogether.")?></p>
|
||||
<p><?=_("Currently there is 2 main servers, one for webserver, one for root store, with the root store only connected to the webserver via serial cable, with a daemon running as non-root processes on each end of the serial listening/sending requests/info.")?></p>
|
||||
<p><?=_("If the root store detects a bad request it assumes the webserver is compromised and shuts itself down.")?></p>
|
||||
<p><?=_("If the root store doesn't receive a 'ping' reply over the serial link within a determined amount of time it assumes the webserver is compromised or the root store itself has been stolen and shuts itself down.")?></p>
|
||||
<p><?=_("Apart from the boot stuff, all data resides on an encrypted partition on the root store server and only manual intervention in the boot up process by entering the password will start it again.")?></p>
|
||||
<p><?=_("The requests sent to the root store, are stored in a file for another process triggered by cron to parse and sign them, then stored in a reply file to be sent back to the webserver. Causing things to be separated into different users, basic privilege separation stuff. So being actually able to hack the serial daemons will only at the VERY worst cause fraudulent certificates, not the root to be revealed.")?></p>
|
||||
<p><?=_("Why use serial you ask? Well certificate requests are low bandwidth for starters, then of course simpler systems in security are less prone to exploits, and finally serial code is pretty mature and well tested and hopefully all exploits were found and fixed a long time ago.")?></p>
|
||||
<p><?=_("With the proposed root certificate changes, there would be a new root, this would sign at least 1 sub-root, then the private key stored offline in a bank vault, with the sub-root doing all the signing, or alternatively 2 sub-roots, 1 for client certificates, one for server, the thinking behind this, if any of the sub-roots are compromised they can be revoked and reissued.")?></p>
|
||||
<p><?=_("Alternatively as things progress we can add more layers of security with say 4 webservers talking to 2 intermediate servers, talking to the root store, and acting in a token ring fashion, anything happening out of sequence, and the server directly upstream shuts itself down, which if that were in place and there were multiple paths, any down time in this fashion would fall over to the servers not compromised, anyways just some food for thought.")?></p>
|
||||
Loading…
Reference in New Issue