You are here: Foswiki>Sysadmin Web>CaCertSsl (29 May 2011, ChrisC)Edit Attach

*.indymedia.org SSL certificates from CAcert.org

This is somewhere to document howto set up CAcert.org SSL certificates for indymedia sub-domains, get their root certificate here.

Contact

You can email / pester in #tech on irc.indymedia.org the following people about getting a CAcert certificate for any *.indymedia.org sub domain:

Also if you want to ask more general stuff about CAcert then there is #cacert on irc.cacert.org and the CAcert wiki and the CAcert lists.

Apache HTTPS SSL certificates

The prefered way to set up Apache is using the multiple domain name method, the old single domain method has been left for reference only.

Firstly there are some security considerations — you should ideally generate and keep the key on an encrypted partition because there has been http://www.autistici.org/ai/crackdown a case where the authorities sniffed encrypted traffic for a period and then took out the server to get the private key and then decrypted all the past traffic they had logged.

One draw back with having the key on an encrypted partition is that apache can't start if it can't access the keys, so each time the box is booted the partition with the crypted keys needs to be decrypted before apache can be started.

See the TravenEncryptedPartitions page for an example of how encrypted partitions can be set up and also UkCrypto#Filesystem for a comparision of the different encryption options and the riseup documentation.

HTTPS limitations

HTTPS isn't the answer for anonomising publishing to indymedia sites — it doesn't prevent the time and size and remote IP addresses from being tracked by someone sniffing the traffic and then this information can be compared to the publically available time stamps on articles.

Having multiple publishing sites sharing one IP address helps in this case and it would also help if the CMS' don't publish the exact time on posts (they would be rounded to the nearest 5 mins or so) but this still isn't the answer...

Suggesting that people wanting to publish anonymously use HTTPS and Tor is probably the best that can be done, see the UK IMC site (follow the link to the security page) for an example of this.

HTTP multiple domain names

It is now possible to have multiple VirtualHosts with different domain names all using one IP address and one cert with all the names in it, for more information about how this works see the CAcert VhostTaskForce and VhostsApache wiki pages.

Generating a CSR

The first thing you need to do is to generate a certificate signing request and the script attached to this page is the easiest way to do this (please read over the script before running it to get an idea of what it does):

  • csr.sh.txt: Bash script for generating CSRs with multiple domain names

(This script is a modified version of the one on the CAcert VhostTaskForce wiki page which writes the secret key and csr into the current directory rather than ~/)

Be sure to run this script in the encrypted directory where the secret key will be kept — generating it on an unencrypted partition and then moving it is not a good idea because it could be recovered.

Following is an example of how the script works (note that the CommonName has been repeated as a SubjectAltName, this is to be necessary to aviod Domain Name Mismatch errors because if there is a SubjectAltName the CommonName is ignored): 

$ sh ~/bin/csr.sh 
Private Key and Certificate Signing Request Generator
This script was designed to suit the request format needed by
the CAcert Certificate Authority. www.CAcert.org

Short Hostname (ie. imap big_srv www2): myservername
FQDN/CommonName (ie. www.example.com) : www.foo.indymedia.org
Type SubjectAltNames for the certificate, one per line. Enter a blank line to finish
SubjectAltName: DNS:www.foo.indymedia.org
SubjectAltName: DNS:foo.indymedia.org
SubjectAltName: DNS:indymedia.foo
SubjectAltName: DNS:www.indymedia.foo
SubjectAltName: DNS:www.bar.indymedia.org
SubjectAltName: DNS:bar.indymedia.org
SubjectAltName: DNS:
Running OpenSSL...
Generating a 2048 bit RSA private key
.............+++
.......................................+++
writing new private key to 'myservername_privatekey.pem'
-----
Copy the following Certificate Request and paste into CAcert website to obtain a Certificate.
When you receive your certificate, you 'should' name it something like myservername_server.pem

-----BEGIN CERTIFICATE REQUEST-----
MIIC4DCCAcgCAQAwIDEeMBwGA1UEAxMVd3d3LmZvby5pbmR5bWVkaWEub3JnMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0jBlssXmPlDBkurcVZuhruBT
EWTOelPH9BESaxDXgPmBCcK4ZA2+UHDmHnkzYetBsxM1PWvQP/RA6JCK1FiSqT4L
mMvHMPVv3nc5SJp9yvNB/VSZVdaU21GoMHeuuGEHds4GNv3/SmkeM2ek+SrN4ld9
hTyvnsYqHCnv2gorWyrlgeyZv1wTsXrBThtPZYujaS7Sp/c3S7usdE/NoL4D18lB
M0UWXc/h9wcnXrphPnOOW0YnvEHP9tftkrahuj+/bEFn2D/RzM6wmSCCwzcDiuth
LTt8qcNXCy4XLLqlEjtoIYembqs/BwDWplly1iLw5a4UhQuRRitdd8tFG/O8VQID
AQABoHsweQYJKoZIhvcNAQkOMWwwajBoBgNVHREEYTBfghFmb28uaW5keW1lZGlh
Lm9yZ4INaW5keW1lZGlhLmZvb4IRd3d3LmluZHltZWRpYS5mb2+CFXd3dy5iYXIu
aW5keW1lZGlhLm9yZ4IRYmFyLmluZHltZWRpYS5vcmcwDQYJKoZIhvcNAQEEBQAD
ggEBAAk4p4gyLqcCGGN4dKnIeZxK4H1mg4nV5pZVjchSido2Md70LYqFM8jTQoTO
+TfH38SZ9xDCIp3x+kwEiFGxWW8U8MXgnySzfrDU1lCtflcXBAH+KLApsYT8VQ7C
Jn/0rSP1hDuOKbDxvQyS3mncyhB9IBv+qUo1F+jDJlruC4ksShRg7K+xNl58O8pE
bCPIeMeYQ39CsAOFK4sU9xjtALk1aYSskZa+w25IbLr+fwoNTmYCTzsQcTEz5WIL
63eT5F47ITmX/D69QO+plRonSeoj6QJ6F5N/5csEYmOen657aNmt5nJOmkySQhFJ
1hf6wb3b4pdPB1R+88SGVDXYw+E=
-----END CERTIFICATE REQUEST-----

The Certificate request is also available in myservername_csr.pem
The Private Key is stored in myservername_privatekey.pem

Then you need to pass the certificate request to the CaCertSsl#Contact and they will then send you back a certificate.

You don't need to worry about keeping the csr or the certificate so secret (though you can submit the csr gpg encrypting it to the CaCertSsl#Contact if you wish) — the vital thing to keep safe is the secret key.

Doing all the above manually is annoying when there are multiple sites on a server all using the same cert and the sites keep changing so that new certs are needed all the time, the answer is to use the cacert-cert.sh.txt script — this will find all the ServerNames and ServerAliases in use on a machine and then generate a CSR based on what it finds. Before you set up this script you can use cacert-names.sh.txt to simply find all the names.

  • cacert-names.sh.txt: This script can be used to find ServerNames and ServerAliases
  • cacert-cert.sh.txt: This script can be used to find ServerNames and ServerAliases and generate a CSR — this is very handy for a server with lots of Indymedia sites using one IP address!

Apache configuration

There seems to be various ways to get a Domain Name Mismatch error when setting up Apache to do multiple HTTPS VirtualHosts (see a screenshot of this error).

UseCanonicalName

Once you have the certificate you have two options about how to set up Apache, depending on how UseCanonicalName is set.

Apache has UseCanonicalName On by default and when it is on you can use one VirtualHost with multiple ServerAlias' with all these ServerAlias' and the ServerName in the cert.

If however you have UseCanonicalName Off then you can't use any ServerAlias' and you have to have one VirtualHost per ServerName and then set all the VirtualHost's to use the same cert.

Repeating the CommonName as a SubjectAltName

If you don't repeat the CommonName as a SubjectAltName then you get the Domain Name Mismatch error message. For some more info on this and screen shots see the Aktivix CAcert wiki page.

Non IP based VirtualHosts

Also you might get the same Domain Name Mismatch error message if you use wild card or name based https VirtualHosts - you seem to need to specify the IP address for each VirtualHost.

httpd.conf example

This is an example configuration for foo.indymedia.org and bar.indymedia.org with alternative domain names redirecting to the main ones, this can be done using a set IP address or wild cards.

There has been some discussion about the SSLCipherSuite line and CACert suggest the following SSLCipherSuite and SSLProtocol lines to disable weak ciphers and sslv2 and fix a problem with konq - latest versions don't handshake properly: 

NameVirtualHost 192.168.0.1:443
# or 
# NameVirtualHost *:443

# foo.indymedia.org:443
<VirtualHost 192.168.0.1:443>
# or 
# <VirtualHost *:443>
  ServerName foo.indymedia.org:443
  UseCanonicalName On
  CustomLog logs/foo_ssl_access_log noip
  ErrorLog /dev/null 
  SSLEngine on
  SSLCipherSuite HIGH
  SSLProtocol all -SSLv2
  SSLCertificateFile /etc/crypt/foo-bar_server.pem
  SSLCertificateKeyFile /etc/crypt/foo-bar_privatekey.pem
# the next line you need to get the file from the cacert site:
# wget http://www.cacert.org/certs/class3.crt
# but this is probably not really necessary
  SSLCertificateChainFile /etc/apache2/ssl/cacert/class3.crt 

  DocumentRoot "/var/www/foo.indymedia.org"
  <Directory "/var/www/foo.indymedia.org">
    Options Indexes
    AllowOverride None
    Order allow,deny
    Allow from all
  </Directory>
</VirtualHost>

# www.foo.indymedia.org:443
<VirtualHost 192.168.0.1:443>
  ServerName www.foo.indymedia.org:443
  UseCanonicalName On
  CustomLog logs/foo_ssl_access_log noip
  ErrorLog /dev/null 
  SSLEngine on
  SSLCipherSuite HIGH
  SSLProtocol all -SSLv2
  SSLCertificateFile /etc/crypt/foo-bar_server.pem
  SSLCertificateKeyFile /etc/crypt/foo-bar_privatekey.pem
  Redirect / https://foo.indymedia.org/
</VirtualHost>

# indymedia.foo:443
<VirtualHost 192.168.0.1:443>
  ServerName indymedia.foo:443
  UseCanonicalName On
  CustomLog logs/foo_ssl_access_log noip
  ErrorLog /dev/null 
  SSLEngine on
  SSLCipherSuite HIGH
  SSLProtocol all -SSLv2
  SSLCertificateFile /etc/crypt/foo-bar_server.pem
  SSLCertificateKeyFile /etc/crypt/foo-bar_privatekey.pem
  Redirect / https://foo.indymedia.org/
</VirtualHost>

# www.indymedia.foo:443
<VirtualHost 192.168.0.1:443>
  ServerName www.indymedia.foo:443
  UseCanonicalName On
  CustomLog logs/foo_ssl_access_log noip
  ErrorLog /dev/null 
  SSLEngine on
  SSLCipherSuite HIGH
  SSLProtocol all -SSLv2
  SSLCertificateFile /etc/crypt/foo-bar_server.pem
  SSLCertificateKeyFile /etc/crypt/foo-bar_privatekey.pem
  Redirect / https://foo.indymedia.org/
</VirtualHost>

# bar.indymedia.org:443
<VirtualHost 192.168.0.1:443>
  ServerName bar.indymedia.org:443
  UseCanonicalName On
  CustomLog logs/bar_ssl_access_log noip
  ErrorLog /dev/null 
  SSLEngine on
  SSLCipherSuite HIGH
  SSLProtocol all -SSLv2
  SSLCertificateFile /etc/crypt/foo-bar_server.pem
  SSLCertificateKeyFile /etc/crypt/foo-bar_privatekey.pem
  DocumentRoot "/var/www/bar.indymedia.org"
  <Directory "/var/www/bar.indymedia.org">
    Options Indexes
    AllowOverride None
    Order allow,deny
    Allow from all
  </Directory>
</VirtualHost>

# www.bar.indymedia.org:443
<VirtualHost 192.168.0.1:443>
  ServerName www.bar.indymedia.org:443
  UseCanonicalName On
  CustomLog logs/bar_ssl_access_log noip
  ErrorLog /dev/null 
  SSLEngine on
  SSLCipherSuite HIGH
  SSLProtocol all -SSLv2
  SSLCertificateFile /etc/crypt/foo-bar_server.pem
  SSLCertificateKeyFile /etc/crypt/foo-bar_privatekey.pem
  Redirect / https://bar.indymedia.org/
</VirtualHost>

# indymedia.bar:443
<VirtualHost 192.168.0.1:443>
  ServerName indymedia.bar:443
  UseCanonicalName On
  CustomLog logs/foo_ssl_access_log noip
  ErrorLog /dev/null 
  SSLEngine on
  SSLCipherSuite HIGH
  SSLProtocol all -SSLv2
  SSLCertificateFile /etc/crypt/foo-bar_server.pem
  SSLCertificateKeyFile /etc/crypt/foo-bar_privatekey.pem
  Redirect / https://bar.indymedia.org/
</VirtualHost>

# www.indymedia.bar:443
<VirtualHost 192.168.0.1:443>
  ServerName www.indymedia.bar:443
  UseCanonicalName On
  CustomLog logs/foo_ssl_access_log noip
  ErrorLog /dev/null 
  SSLEngine on
  SSLCipherSuite HIGH
  SSLProtocol all -SSLv2
  SSLCertificateFile /etc/crypt/foo-bar_server.pem
  SSLCertificateKeyFile /etc/crypt/foo-bar_privatekey.pem
  Redirect / https://bar.indymedia.org/
</VirtualHost>

HTTP single domain name

This is documented on the CAcert.org site.

First you need to generate a key in a private, secure directory, the -nodes option disables the need for a passphrase: 

 $ openssl req -nodes -new -keyout private.key -out server.csr

When you run the above command you will be prompted to provide various information, the only field that isn't disgarded at the server side is the Common Name, which for this example is example.indymedia.org for all the other fields enter a . (a full stop), the last two optional fields can be left blank: 

 Generating a 1024 bit RSA private key
 .............++++++
 ..........++++++
 writing new private key to 'private.key'
 -----
 You are about to be asked to enter information that will be incorporated
 into your certificate request.
 What you are about to enter is what is called a Distinguished Name or a DN.
 There are quite a few fields but you can leave some blank
 For some fields there will be a default value,
 If you enter '.', the field will be left blank.
 -----
 Country Name (2 letter code) [GB]:.
 State or Province Name (full name) [Berkshire]:.
 Locality Name (eg, city) [Newbury]:.



 Organization Name (eg, company) [My Company Ltd]:.
 Organizational Unit Name (eg, section) []:.
 Common Name (eg, your name or your server's hostname) []:example.indymedia.org
 Email Address []:.

 Please enter the following 'extra' attributes
 to be sent with your certificate request
 A challenge password []:    
 An optional company name []:

Then you should have two files in your current directory, private.key and server.csr, the certificate signing request (server.csr) should look like this: 

 -----BEGIN CERTIFICATE REQUEST-----
MIIBWzCBxQIBADAcMRowGAYDVQQDExFpcmMuaW5keW1lZGlhLm9yZzCBnzANBgkq
hkiG9w0BAQEFAAOBjQAwgYkCgYEAtfES7rRB84NCfpw3mIVaums+7zy4x7sCqWj1
PdTJ+2wlkxY8Y7GnUlYL2CBZnDv6TmciYXlr+u91m0ZgB29sZYFfRjH38BAaMVtH
UPKXq0xttuP8aQDW2AIedP44BZdG6E2CpTF8Z/5OWTHMLtuLfgnXSn0g05JZNWi/
6MNVVwsCAwEAAaAAMA0GCSqGSIb3DQEBBAUAA4GBAIYqXjCFZz+uEyMUrQeXPiBD
TCPQheUtHWfD6AShxfkURtOAdQFBgZMKJrT0d82lkNFdNpxD4zzhFZUEXfSQq0Mu
YmDCV4MkeOFxllQvtu6arYCDMvDjDaJGYIHKtyaF19LkLuMiGRaEQNHUKaI18NmW
EBpU1PlLqn65thHfmIOa
 -----END CERTIFICATE REQUEST-----

Email the server.csr file to your contact and then they will upload your certificate sigining request to CAcert they will be emailed a certificate back from CAcert and they will forward the certificate to you. You should save the certificate server.crt and reference it from your httpd.conf file like this: 

 SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt

And the private.key file that was generated when you generated the request certificate needs referencing like this: 

 SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key

Use the following for the Cipher Suite: 

 #   SSL Cipher Suite:
 #   List the ciphers that the client is permitted to negotiate.
 #   See the mod_ssl documentation for a complete list.
 SSLCipherSuite HIGH
 SSLProtocol all -SSLv2

Then users just need to install the cacert.org root cert it probably makes sense to add a link to this page.

TLS Postfix certificates

What you need to do for postfix is more-or-less the same as for Apache, there are Postfix configuration instructions on the CAcert wiki, see also the Sarai configuration example below.

See also the CAcert wiki for various MTA instructions.

SMTP multiple domain names

TLS also works with multiple names on certs using the SubjectAltName field so it makes sense to generate a cert with all the names that are set up at a DNS level — in otherwords all the different MX records that point to your server. So use the attached script, csr.sh.txt, like this (note that the CommonName has been repeated as a SubjectAltName, this is to be necessary to aviod Domain Name Mismatch errors because if there is a SubjectAltName the CommonName is ignored): 

# csr.sh 
Private Key and Certificate Signing Request Generator
This script was designed to suit the request format needed by
the CAcert Certificate Authority. www.CAcert.org

Short Hostname (ie. imap big_srv www2): smtp_cert
FQDN/CommonName (ie. www.example.com) : mail.indymedia.org
Type SubjectAltNames for the certificate, one per line. Enter a blank line to finish
SubjectAltName: DNS:mail.indymedia.org
SubjectAltName: DNS:mail.lists.indymedia.org
SubjectAltName: DNS:mail.indymedia.us
SubjectAltName: DNS:mail.indymedia.org.uk
SubjectAltName: DNS:
Running OpenSSL...
Generating a 2048 bit RSA private key
...+++
............+++
writing new private key to 'smtp_cert_privatekey.pem'
-----
Copy the following Certificate Request and paste into CAcert website to obtain a Certificate.
When you receive your certificate, you 'should' name it something like smtp_cert_server.pem

-----BEGIN CERTIFICATE REQUEST-----
MIICwjCCAaoCAQAwHTEbMBkGA1UEAxMSbWFpbC5pbmR5bWVkaWEub3JnMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv51rn+sHF4hjNI8e98tB9+cXxlf1
+SMk15MW7EpMgtDzL/yefzCVjMnS4LMfM/dfBoF4uGthpvnzQyGqxUFOyrTQjnRh
hTQgLRQH7jvilGVrJYl8CdX6cMmufyH6Vb+vhh+yNUpvAoa2dWs3g0Ty/M8ZKNuT
qgpZ4mRh0qMrK3NAgewIE2Br33mqXRHa7DGuTLE57VgSvOj9JUNIIUWL6wgXUMuv
ShswkHC1ClpQlviDxWgEOUfaolxGktd5HHaP0qJTDr9yyYHCjpoxg6DiOAEvJDwQ
MC5iH2A7FL0cFqts8IVFzcIQB44T8vWhaEd8YQ0+tYe02KIQpypu3btXewIDAQAB
oGAwXgYJKoZIhvcNAQkOMVEwTzBNBgNVHREERjBEghhtYWlsLmxpc3RzLmluZHlt
ZWRpYS5vcmeCEW1haWwuaW5keW1lZGlhLnVzghVtYWlsLmluZHltZWRpYS5vcmcu
dWswDQYJKoZIhvcNAQEEBQADggEBACBOYWI/RmADMMKgH2rjOfl7EJRPP1boRFpT
gDASjJQwZ7iXVu77tzfPoXwpym3mYYn9hwLSfR3k7GXHvGwppO4LuFIoaSrRQd/K
0+Jb4Xzh5KL7qOM0ZNJVmJIHlyar32rL+9OM0zlH/8jUdhLpYw82RqmGUKES5464
bKaPxbEaL4E60Vhorw7xaxVmIwZFCP8bqw9hm/jWCLHJtw2wlS5ej/NfDup3OVR6
RHR9bNOwKOxHXVHv612wc7viOfeQCbO/BCVbmzY7BvEQOloTFYpUynZ+M7Xj7J7t
DGHt+fRox1wzIcifL2yUOPkXaqoStAE9nd2bGPtLMxUBj748/AM=
-----END CERTIFICATE REQUEST-----

The Certificate request is also available in smtp_cert_csr.pem
The Private Key is stored in smtp_cert_privatekey.pem

SMTP single domain name

Generate a certificate signing request: 

 $ openssl req -nodes -new -keyout private.key -out server.csr

Email the server.csr file to your contact and then they will upload your certificate signing request to CAcert they will be emailed a certificate back from CAcert and they will forward the certificate to you. You should save the certificate server.crt.

Sarai TLS configuration

SaraiInfo is the main Indymedia mail server and following are some notes on how it was set up for TLS.

We created the directory /etc/postfix/certs and then did: 
cp /home/chris/cacart/sarai-tls/sarai.indymedia.org/private.key ./sarai.key
cp /home/chris/cacart/sarai-tls/sarai.indymedia.org/server.crt ./sarai.crt
wget http://www.cacert.org/cacert.crt

This put our private key, our certificate, and CAcert.org's certificate all in one directory, then we modified /etc/postfix/main.cf to have: 

### Transport Layer Security ###

# Server side TLS
smtpd_use_tls = yes
smtpd_tls_key_file = /etc/postfix/certs/sarai.key
smtpd_tls_cert_file = /etc/postfix/certs/sarai.crt
smtpd_tls_CAfile = /etc/postfix/certs/cacert.crt
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s

# Client side TLS
smtp_use_tls = yes
smtp_tls_key_file = /etc/postfix/certs/sarai.key
smtp_tls_cert_file = /etc/postfix/certs/sarai.crt
smtp_tls_CAfile = /etc/postfix/certs/cacert.crt

# Misc TLS
tls_random_source = dev:/dev/urandom

Restart postifx, and then watch the logs. http://www.cacert.org/cacert.crt Then you need to copy the server.crt file to /etc/postfix/newcert.pem and then copy the certificate from CAcert to /etc/postfix/newreq.pem.

Also this line should be added to the above to aviod the (No client certificate requested) line in email headers (more info): 

 smtpd_tls_ask_ccert = yes

Postfix see also

Other pages with Postfix TLS information:

Courier and SSL

To have courier configured to do pop3s and imaps, you have to give it a .pem, which is a bit different from the .crt. You can have that file easily once you have obtained your .crt and .key file. Its just a concatenation of this two files and a Diffie-Hellman code. Run this and your done: 

cat bat_privatekey.pem bat_server.pem > bat_courier.pem
openssl gendh >> bat_courier.pem

SSL certs for stunnel

Indymedia IRC used stunnel and I think it needs .pem files so the post fix instructions above should work.

Sites using CAcert certs

HTTPS

Politics

There is a intro article about CAcert on NewsForge.

Sub root certs

Duane from CACert has replied to imc-tech to a suggestion for using Subroot certs, see also the CAcert wiki SubRoot page.

Alternatives

Should Indymedia be encouraging the hierarchical CAcert? Isn't there an autonomous peer-cert system yet? 

11:13 < evilbunny> Isn't there an autonomous peer-cert system yet? -> cacert
11:14 < evilbunny> for the most part, still requires people to support it though
11:17 < evilbunny> I tried to build CAcert as autonomous as possible, but people forget passwords, don't 
                   understand that much about PKI and a whole bunch of other things so there is no such 
                   thing really :)
12:05 < chrisc> what i say to people who say that cacert is not good enough for whatever reason, is, well 
                show me a working alternative... and well, there are not any...
12:08 < evilbunny> <chrisc> what i say to people who say that cacert is not good enough for whatever 
                   reason, is, well show me a working alternative... and well, there are not any... <- 
                   good point
12:09 < chrisc> yeah, people tend to stop moaning at that point ;-)
12:12 < evilbunny> :)

CACert considered harmful

What about this? (a blog entry about CAcert) 

10:59 < evilbunny> we're addressing the this
10:59 < evilbunny> the only thing the guy was on about was the low trust cert
10:59 < evilbunny> not checking names
11:00 < evilbunny> he didn't have an issue with anything else
11:00  * chrisc nods
11:00 < evilbunny> mole hill -> mountain
11:00 < evilbunny> so we're going to be ditching the low trust key and the high trust key will only 
                   require 50 points in future
11:00 < chrisc> ah
11:00 < evilbunny> which he agreed was a suitable solution to his grevence
11:01 < chrisc> well he should update his blog...
11:01 < evilbunny> i couldn't agree more
11:01 < evilbunny> feel free to email him and express that :)
11:09 < evilbunny> the blog is on about how we issue low trust gpg signed keys without any checking of 
                   names
11:10 < evilbunny> as for peer to peer pki system, CAcerts web of trust is close as you get with any 
                   semblence of trustworthyness
11:10 < evilbunny> PKI was only designed to be centralised
11:10 < evilbunny> and since it took off and not GPG it's a system we have to live in unless you convince 
                   all the software makers to do otherwise

See also

The UK site has a security box which is documented on the UkCrypto page and there is also a related UkSecurity page where some help documentation is being developed.

-- ChrisC - 03 Nov 2005 - added the section about hosting multiple https sites with one ip address

-- ChrisC - 21 Jan 2005 - added politics and see also section and moved various things into the politics section from the top of the page

-- PaulWise - 08 Dec 2004 - added a contact section

-- ChrisC - 10 Apr 2004

Topic attachments
I Attachment Action Size Date Who Comment
cacert-cert.sh.txttxt cacert-cert.sh.txt manage 3 K 18 Mar 2011 - 09:53 UnknownUser This script can be used to find Servernames and Serveraliases and generate a CSR
cacert-names.sh.txttxt cacert-names.sh.txt manage 554 bytes 29 Apr 2007 - 19:50 UnknownUser This script can be used to find Servernames and Serveraliases
csr.sh.txttxt csr.sh.txt manage 4 K 18 Mar 2011 - 09:50 UnknownUser Bash script for generating CSRs with multiple domain names
Edit  | Attach | Print version | History: r37 < r36 < r35 < r34 | Backlinks | View wiki text | Edit wiki text | More topic actions
Topic revision: r37 - 29 May 2011, ChrisC
This site is powered by FoswikiCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Foswiki? Send feedback