[Ach] (no subject)

szebi szebi at gmx.at
Sun Jan 12 14:48:32 CET 2014 

Hi Andreas,

On 01/12/2014 01:18 PM, Andreas Mirbach wrote:
> Ok, i see startssl is a little difficult. But we can't provide a how
> to for that, i think.
> Because every ca has a slightly different process and every ca already
> provides a how to optain a certificat in there faqs. If your still in
> trouble i can help you to understand the startssl process. 
>
> @all ahmad pionted out that some ssl starters don't realy know how to
> retrieve a ssl certificate. I can remember my first try on that. So
> maybe a section that describs the general process of generating a
> certificat and signing it by a ca would be very helpfull. What do you say?
Do you know Section 3.8 on Public Key Infrastructure (PKI)? There's a
section about creating a certificate and sign it by an external CA, one
about building your own CA and one describes how to create a self-signed
cert.

We could refer to this section more often in the Practical Settings, but
then we would have that link in every section, which appears to me like
overkill.

regards,
Sebastian
>
> Regards Andreas Mirbach
>
> Sent from my iPad
>
> On 12.01.2014, at 06:56, Ahmad Bilal <ahmadbilal200854 at gmail.com
> <mailto:ahmadbilal200854 at gmail.com>> wrote:
>
>> Also, I tried StartSSL at first, but got lost somewhere, and gave up
>> in between. So yes, people like me want to improve, just need the
>> light! :)
>>
>>
>>
>> On 12 January 2014 11:25, Ahmad Bilal <ahmadbilal200854 at gmail.com
>> <mailto:ahmadbilal200854 at gmail.com>> wrote:
>>
>>     thanks Rainer and Andreas. Yes, I was aware that its not that
>>     safe to trust Godaddy, but to put it honestly, Learning about
>>     SSL/TLS/etc is like starting all over again, after barely
>>     learning programming. There is not many guides out there easily
>>     searchable. It was just coincidence that I find out about
>>     BetterCrypto. 
>>
>>     I have read the draft, it has been very helpful.. but my opinion
>>     is, if the explanations are a bit more simple, than people will
>>     benefit even more from it. As I said above, and its also written
>>     in the draft, that weak code written by programmers is a big
>>     concern. It should not be assumed, that a programmer would learn
>>     coding, and then start to learn about cryptography. Instead
>>     ideally, one should learn cryptography and programming together,
>>     so that means, that midway, where a person has only grasped
>>     intermediate concepts in programming, he should be introduced to
>>     cryptography. 
>>
>>     That means, in short, that it should be assumed that the SysAdmin
>>     (at which this initiative is aimed at) can be average SysAdmin,
>>     as well as a well established SysAdmin.
>>
>>     I might be saying what has been already said, many times.. and I
>>     mean no offense to anyone. I'm just resonating, what are my
>>     honest feelings about this.
>>
>>     Thanks a lot, I hope to learn a lot around here. 
>>
>>
>>     On 12 January 2014 03:16, Andreas Mirbach <a.mirbach at me.com
>>     <mailto:a.mirbach at me.com>> wrote:
>>
>>         Even if those certificate authorities have not been hacked,
>>         you have to ask yourself "do you thrust these thirth party in
>>         your chain". For websites that need to be reached over the
>>         internet by unknown clients, you need them. But if you know
>>         your clients e.g. your companys computer you can/should use
>>         your own CAs. In my opinion there should be a more detailed
>>         section about certificate authorities. 
>>
>>         Andreas Mirbach
>>
>>         Sent from my iPad
>>
>>         On 11.01.2014, at 21:36, Rainer Hoerbe <rainer at hoerbe.at
>>         <mailto:rainer at hoerbe.at>> wrote:
>>
>>>         Finden SHA1-collisions requires 2**63 tries (may be a bit
>>>         less). Faking a certificate this way is quite expensive,
>>>         there are cheaper ways.
>>>
>>>         No you do not be worried, because the security value of
>>>         those commercial certificates ist near zero anyway. GoDaddy
>>>         have been insuniated that they have been hacked in the past.
>>>         The question is why to pay for a certificate of low value,
>>>         when you can get the same product  elsewhere for free, e.g.
>>>         Startssl.
>>>
>>>         - Rainer
>>>
>>>         Am 11.01.2014 um 15:02 schrieb Ahmad Bilal
>>>         <ahmadbilal200854 at gmail.com
>>>         <mailto:ahmadbilal200854 at gmail.com>>:
>>>
>>>>         I have a question. I recently bought a certificate from
>>>>         godaddy, and during the installation I chose SHA-2, but the
>>>>         Certificate Signing Request in raw form has SHA-1 written
>>>>         on it, and not SHA-2. Should I be worried?
>>>>
>>>>
>>>>
>>>>         -- 
>>>>         /*Ahmad Bilal*/
>>>>
>>>>         _______________________________________________
>>>>         Ach mailing list
>>>>         Ach at lists.cert.at <mailto:Ach at lists.cert.at>
>>>>         http://lists.cert.at/cgi-bin/mailman/listinfo/ach
>>>
>>>         _______________________________________________
>>>         Ach mailing list
>>>         Ach at lists.cert.at <mailto:Ach at lists.cert.at>
>>>         http://lists.cert.at/cgi-bin/mailman/listinfo/ach
>>
>>
>>
>>
>>     -- 
>>     /*Ahmad Bilal*/
>>
>>
>>
>>
>> -- 
>> /*Ahmad Bilal*/
>>
>
>
> _______________________________________________
> Ach mailing list
> Ach at lists.cert.at
> http://lists.cert.at/cgi-bin/mailman/listinfo/ach

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20140112/93c9b81a/attachment.sig>

More information about the Ach mailing list