Alice,
Have you found an OCSP responder?
I am writing an Internet Draft for using openssl to set up a simple
ECDSA pki:
https://datatracker.ietf.org/doc/draft-moskowitz-ecdsa-pki/
It is PAST time that the default for certs is RSA, and rather move on to
ECDSA. EdDSA is almost ready to ship! (Dan Bernstein's ECC rather than
NIST/NSA, plus they ARE better curves)
Version 01 is in the works that adds CRL (done) and OCSP (almost done).
I should have this version posted by middle of next week.
Right now I use self-signed certs for all my servers, but I plan on
creating my own small PKI and running my own OCSP responder. I also
would like to find something 'simple'.
ECDSA will have better response for DANE. EdDSA will be even better!
But it will take the NEXT version of openssl to provide support.
Bob
On 04/16/2017 12:43 PM, Robert Moskowitz wrote:
What about the pki package that comes with Centos?
pki-server and pki-ca?
On 04/16/2017 11:54 AM, Alice Wonder wrote:
Oh I don't know, their github works.
However it seems that it isn't able to deal with more than one ocsp
signing key.
On 04/16/2017 08:40 AM, Robert Moskowitz wrote:
On 04/14/2017 10:41 PM, Alice Wonder wrote:
https://www.openca.org/ might fit my needs.
their Centos repo does not exist, it seems?
On 04/14/2017 06:29 PM, Alice Wonder wrote:
Hello list,
I'm contemplating running my own CA to implement the new proposed ISP
for validation of S/MIME certificates via DANE.
I already use self-signed for my MX servers (with 3 1 1 dane
records on
TCP port 25) but I don't want to use self-signed for S/MIME for user
specific x.509 certs because
A) That's potentially a lot of DNS records
B) That requires a hash of the e-mail addresses in DNS
Instead, I will be using a wildcard in DNS with an intermediary that
signs the user x.509 certificates.
Using an intermediary to sign their certificates though means I can't
just revoke their certificates by removing the DNS certificate, I'll
need to provide an OCSP server for when one of their private keys
gets
compromised.
I found
https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Deploy_and_Install_Guide/install-oscp.html
but it looks like that is intended for enterprise, more complex
than I
need.
Anyone know of a good simple script for providing OCSP ??
-=-
Not relevant to question but just important for me to note, I will
*not*
be asking people to install my root certificate in their e-mail
clients.
I think it is a bad practice to get users in the habit of installing
root certificates.
I think the PKI system has way way way to many root certificates
as it
is. I want a world where DANE validates most certificates, and only a
few root certificates are needed for things like banks where EV
certificates are a must.
DANE as a way to validate S/MIME I think will be a godsend to e-mail
security, I hope clients implement it.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos