Date: Mon, 14 Jan 2002 10:27:31 -0800 From: Terry Lambert <tlambert2@mindspring.com> To: Sheldon Hearn <sheldonh@starjuice.net> Cc: freebsd-hackers@FreeBSD.org Subject: Re: [OT] OpenSSL, certification chains and Exim Message-ID: <3C432313.29A3CF82@mindspring.com> References: <91603.1011018796@axl.seasidesoftware.co.za>
next in thread | previous in thread | raw e-mail | index | archive | help
Sheldon Hearn wrote: > > RFC 1423 is a good starting point, and there are a lot of nice > > books on the subject, but I don't think any of them are less > > than ~300 pages. > > Just out of curiosity, what does RFC 1423 call what you refer to as > "leaf certificates"? Uh, "leaves"? Oh... heh... 1423... I meant 1422. See section 3.1, paragraph 3. I've also seen it referred to as "non-CA certficicate holders". -- Really, if you are going to get into this, you will need the ASN.1 and X.509 documentation, and some understanding of how directory servers are supposed to operate in order to provide CRLs (Certificate Revocation Lists). The common practice is to ignore CRLs entirely, and time limit the validity of the certificates by expiration-date stamping them, and then making the holders attempt to renew them starting at 50% of the remaining lifetime (like DHCP leases). At one point in time, I suggested the use of timed certificates with an issuer like RBL as a means of controlling SPAM: no certificate means you don't get to send email. A transition period could be handled by having a third party referral to the "non-spam" CA by certificate enabled servers talking to clients that were not certificate providing by asking "would you sign a certificate for this machine were it to ask you to sign one?". The point being that you don't just burn an IP address in a POP until you burn the dialup account, instead you burn domain registrations, which, because of the space density, are much more expensive to burn (nail spam at the most vulnerable and tightest economic boundary possible). So, you'll understand if 1423 came to my mind as "the most relevent RFC for certificates". 8-). -- Terry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3C432313.29A3CF82>