News: Announce: SSL certificates renewed
[110 news in archive]
Security Announce: SSL certificates renewed
Item posted by Mathieu Roy <yeupou> on Sun 15 Feb 2004 12:07:47 PM UTC.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SSL certificates for gna.org and mail.gna.org has been renewed for 1200 days.
These certificates are not signed by a real certificate authority: their purpose is not to confirm our identity but to provide you a way to be sure that https://gna.org and https://mail.gna.org today are running on the same machine they were yesterday. Also, certificates are required for an https server to run, and https is a way to secure all the data transiting between your computer and our servers, like authentication information.
Mathieu Roy <yeupou@gnu.org> for Gna!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFAL2A4Nl9/9y2hmbkRAiPcAJ9Xiga+gQ3id7tXOSD/1Hb/P6U/XQCfTHMy
TfHV7PRmo+hxCvkaoAa5ces=
=e0N+
-----END PGP SIGNATURE-----
Comments:
| GPG signing (posted by Vincent Caron, Mon 16 Feb 2004 01:11:50 PM UTC) |
I copy/pasted the text and tried a 'gpg --verify', it fails. I guess there is too much editing (although line returns are respected) to keep the signature valid. I don't think it's a problem since you were necessarily properly authenticated to post this announce. Is it necessarily to post next security news with a GPG signature here ?
|
| RE: GPG signing (posted by Mathieu Roy, Mon 16 Feb 2004 06:55:35 PM UTC) |
1) The signature is not valid because savane add < and > around email address and I had the bad idea to add my address.
If you remove the < >, I bet it would be ok.
2) Getting an Savane account cracked is possible. I guess that a gpg key may be cracked too, however I think it is a way tougher job, if not impossible. Security announces should definitely rely on a very secure signature, like GPG, unlike being logged on Gna! Also, security announces at Gna! should not depends on the Gna! structure itself to confirm it is validity: if Gna! was cracked, it would be easy to make false announces if the checks on the announces are made with Gna! specific stuff itself.
|
| RE: GPG signing 2 (posted by Mathieu Roy, Mon 16 Feb 2004 07:01:47 PM UTC) |
Hum, there are two cause of trouble:
the < > I mentioned because but also the extra blank space that get added at the begin of each line.
The way to go is, for security announce, to post them first by mail on project@gna.org, gpg-signed, and then to post them on Savane with no signature but a link to the signed archived mail. |
| RE: GPG signing 2 (posted by Mathieu Roy, Mon 16 Feb 2004 07:02:22 PM UTC) |
(mentioned s/before/because/) |
| RE: GPG signing (posted by ytars, Tue 23 Oct 2012 09:38:42 AM UTC) |
|
| gna! CA certificate? (posted by Geert Vanderkelen, Sun 15 Feb 2004 02:55:21 PM UTC) |
Is the CA Certificate of gna! available somewhere to import into the browser so we don't have to acknowledge it all the time?
|
| RE: gna! CA certificate? (posted by Mathieu Roy, Sun 15 Feb 2004 07:45:23 PM UTC) |
I'm not sure to understand your problem. Doesn't your browser permits you to ackowledge the certificate for the future sessions?
|
| RE: gna! CA certificate? (posted by Geert Vanderkelen, Sun 15 Feb 2004 10:13:40 PM UTC) |
It's not really a problem. I mean, when you sign your CSR for https://gna.org, you use your own Certification Authority (CA) I presume. You do what Versign/Thawte does.
Well, the browsers ofcourse don't recognize you as a CA, but you can make them recognize by making your CA certificate (ca.cert or better ca.crt) available online.
Just put your ca.crt in webroot and surf to it with mozilla. Should work. Otherwise one can import it via the Options.
(see openssl.org ofcoz)
It's just a thought :) |
| RE: gna! CA certificate? (posted by Mathieu Roy, Mon 16 Feb 2004 11:18:42 AM UTC) |
All the browser I know can accept the certificates for the future session and so not complain any further.
Apart from that, making the CA certificate we use looks like a good idea but currently I do not know what it would implies exactly. |
Start a New Thread:
