[Ach] (no subject)

szebi szebi at gmx.at
Sun Jan 12 14:48:32 CET 2014

Hi Andreas,

On 01/12/2014 01:18 PM, Andreas Mirbach wrote:
> Ok, i see startssl is a little difficult. But we can't provide a how
> to for that, i think.
> Because every ca has a slightly different process and every ca already
> provides a how to optain a certificat in there faqs. If your still in
> trouble i can help you to understand the startssl process. 
> @all ahmad pionted out that some ssl starters don't realy know how to
> retrieve a ssl certificate. I can remember my first try on that. So
> maybe a section that describs the general process of generating a
> certificat and signing it by a ca would be very helpfull. What do you say?
Do you know Section 3.8 on Public Key Infrastructure (PKI)? There's a
section about creating a certificate and sign it by an external CA, one
about building your own CA and one describes how to create a self-signed

We could refer to this section more often in the Practical Settings, but
then we would have that link in every section, which appears to me like

> Regards Andreas Mirbach
> Sent from my iPad
> On 12.01.2014, at 06:56, Ahmad Bilal <ahmadbilal200854 at gmail.com
> <mailto:ahmadbilal200854 at gmail.com>> wrote:
>> Also, I tried StartSSL at first, but got lost somewhere, and gave up
>> in between. So yes, people like me want to improve, just need the
>> light! :)
>> On 12 January 2014 11:25, Ahmad Bilal <ahmadbilal200854 at gmail.com
>> <mailto:ahmadbilal200854 at gmail.com>> wrote:
>>     thanks Rainer and Andreas. Yes, I was aware that its not that
>>     safe to trust Godaddy, but to put it honestly, Learning about
>>     SSL/TLS/etc is like starting all over again, after barely
>>     learning programming. There is not many guides out there easily
>>     searchable. It was just coincidence that I find out about
>>     BetterCrypto. 
>>     I have read the draft, it has been very helpful.. but my opinion
>>     is, if the explanations are a bit more simple, than people will
>>     benefit even more from it. As I said above, and its also written
>>     in the draft, that weak code written by programmers is a big
>>     concern. It should not be assumed, that a programmer would learn
>>     coding, and then start to learn about cryptography. Instead
>>     ideally, one should learn cryptography and programming together,
>>     so that means, that midway, where a person has only grasped
>>     intermediate concepts in programming, he should be introduced to
>>     cryptography. 
>>     That means, in short, that it should be assumed that the SysAdmin
>>     (at which this initiative is aimed at) can be average SysAdmin,
>>     as well as a well established SysAdmin.
>>     I might be saying what has been already said, many times.. and I
>>     mean no offense to anyone. I'm just resonating, what are my
>>     honest feelings about this.
>>     Thanks a lot, I hope to learn a lot around here. 
>>     On 12 January 2014 03:16, Andreas Mirbach <a.mirbach at me.com
>>     <mailto:a.mirbach at me.com>> wrote:
>>         Even if those certificate authorities have not been hacked,
>>         you have to ask yourself "do you thrust these thirth party in
>>         your chain". For websites that need to be reached over the
>>         internet by unknown clients, you need them. But if you know
>>         your clients e.g. your companys computer you can/should use
>>         your own CAs. In my opinion there should be a more detailed
>>         section about certificate authorities. 
>>         Andreas Mirbach
>>         Sent from my iPad
>>         On 11.01.2014, at 21:36, Rainer Hoerbe <rainer at hoerbe.at
>>         <mailto:rainer at hoerbe.at>> wrote:
>>>         Finden SHA1-collisions requires 2**63 tries (may be a bit
>>>         less). Faking a certificate this way is quite expensive,
>>>         there are cheaper ways.
>>>         No you do not be worried, because the security value of
>>>         those commercial certificates ist near zero anyway. GoDaddy
>>>         have been insuniated that they have been hacked in the past.
>>>         The question is why to pay for a certificate of low value,
>>>         when you can get the same product  elsewhere for free, e.g.
>>>         Startssl.
>>>         - Rainer
>>>         Am 11.01.2014 um 15:02 schrieb Ahmad Bilal
>>>         <ahmadbilal200854 at gmail.com
>>>         <mailto:ahmadbilal200854 at gmail.com>>:
>>>>         I have a question. I recently bought a certificate from
>>>>         godaddy, and during the installation I chose SHA-2, but the
>>>>         Certificate Signing Request in raw form has SHA-1 written
>>>>         on it, and not SHA-2. Should I be worried?
>>>>         -- 
>>>>         /*Ahmad Bilal*/
>>>>         _______________________________________________
>>>>         Ach mailing list
>>>>         Ach at lists.cert.at <mailto:Ach at lists.cert.at>
>>>>         http://lists.cert.at/cgi-bin/mailman/listinfo/ach
>>>         _______________________________________________
>>>         Ach mailing list
>>>         Ach at lists.cert.at <mailto:Ach at lists.cert.at>
>>>         http://lists.cert.at/cgi-bin/mailman/listinfo/ach
>>     -- 
>>     /*Ahmad Bilal*/
>> -- 
>> /*Ahmad Bilal*/
> _______________________________________________
> Ach mailing list
> Ach at lists.cert.at
> http://lists.cert.at/cgi-bin/mailman/listinfo/ach

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20140112/93c9b81a/attachment.sig>

More information about the Ach mailing list