[CentOS] Simple OCSP server ??

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

[CentOS] Simple OCSP server ??

Alice Wonder
Hello list,

I'm contemplating running my own CA to implement the new proposed ISP
for validation of S/MIME certificates via DANE.

I already use self-signed for my MX servers (with 3 1 1 dane records on
TCP port 25) but I don't want to use self-signed for S/MIME for user
specific x.509 certs because

A) That's potentially a lot of DNS records
B) That requires a hash of the e-mail addresses in DNS

Instead, I will be using a wildcard in DNS with an intermediary that
signs the user x.509 certificates.

Using an intermediary to sign their certificates though means I can't
just revoke their certificates by removing the DNS certificate, I'll
need to provide an OCSP server for when one of their private keys gets
compromised.

I found
https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Deploy_and_Install_Guide/install-oscp.html 
but it looks like that is intended for enterprise, more complex than I need.

Anyone know of a good simple script for providing OCSP ??

-=-

Not relevant to question but just important for me to note, I will *not*
be asking people to install my root certificate in their e-mail clients.
I think it is a bad practice to get users in the habit of installing
root certificates.

I think the PKI system has way way way to many root certificates as it
is. I want a world where DANE validates most certificates, and only a
few root certificates are needed for things like banks where EV
certificates are a must.

DANE as a way to validate S/MIME I think will be a godsend to e-mail
security, I hope clients implement it.
_______________________________________________
CentOS mailing list
[hidden email]
https://lists.centos.org/mailman/listinfo/centos
Reply | Threaded
Open this post in threaded view
|

Re: [CentOS] Simple OCSP server ??

Alice Wonder
https://www.openca.org/ might fit my needs.

On 04/14/2017 06:29 PM, Alice Wonder wrote:

> Hello list,
>
> I'm contemplating running my own CA to implement the new proposed ISP
> for validation of S/MIME certificates via DANE.
>
> I already use self-signed for my MX servers (with 3 1 1 dane records on
> TCP port 25) but I don't want to use self-signed for S/MIME for user
> specific x.509 certs because
>
> A) That's potentially a lot of DNS records
> B) That requires a hash of the e-mail addresses in DNS
>
> Instead, I will be using a wildcard in DNS with an intermediary that
> signs the user x.509 certificates.
>
> Using an intermediary to sign their certificates though means I can't
> just revoke their certificates by removing the DNS certificate, I'll
> need to provide an OCSP server for when one of their private keys gets
> compromised.
>
> I found
> https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Deploy_and_Install_Guide/install-oscp.html
> but it looks like that is intended for enterprise, more complex than I
> need.
>
> Anyone know of a good simple script for providing OCSP ??
>
> -=-
>
> Not relevant to question but just important for me to note, I will *not*
> be asking people to install my root certificate in their e-mail clients.
> I think it is a bad practice to get users in the habit of installing
> root certificates.
>
> I think the PKI system has way way way to many root certificates as it
> is. I want a world where DANE validates most certificates, and only a
> few root certificates are needed for things like banks where EV
> certificates are a must.
>
> DANE as a way to validate S/MIME I think will be a godsend to e-mail
> security, I hope clients implement it.
> _______________________________________________
> CentOS mailing list
> [hidden email]
> https://lists.centos.org/mailman/listinfo/centos

_______________________________________________
CentOS mailing list
[hidden email]
https://lists.centos.org/mailman/listinfo/centos
Reply | Threaded
Open this post in threaded view
|

Re: [CentOS] Simple OCSP server ??

Robert Moskowitz


On 04/14/2017 10:41 PM, Alice Wonder wrote:
> https://www.openca.org/ might fit my needs.

their Centos repo does not exist, it seems?

>
> On 04/14/2017 06:29 PM, Alice Wonder wrote:
>> Hello list,
>>
>> I'm contemplating running my own CA to implement the new proposed ISP
>> for validation of S/MIME certificates via DANE.
>>
>> I already use self-signed for my MX servers (with 3 1 1 dane records on
>> TCP port 25) but I don't want to use self-signed for S/MIME for user
>> specific x.509 certs because
>>
>> A) That's potentially a lot of DNS records
>> B) That requires a hash of the e-mail addresses in DNS
>>
>> Instead, I will be using a wildcard in DNS with an intermediary that
>> signs the user x.509 certificates.
>>
>> Using an intermediary to sign their certificates though means I can't
>> just revoke their certificates by removing the DNS certificate, I'll
>> need to provide an OCSP server for when one of their private keys gets
>> compromised.
>>
>> I found
>> https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Deploy_and_Install_Guide/install-oscp.html 
>>
>> but it looks like that is intended for enterprise, more complex than I
>> need.
>>
>> Anyone know of a good simple script for providing OCSP ??
>>
>> -=-
>>
>> Not relevant to question but just important for me to note, I will *not*
>> be asking people to install my root certificate in their e-mail clients.
>> I think it is a bad practice to get users in the habit of installing
>> root certificates.
>>
>> I think the PKI system has way way way to many root certificates as it
>> is. I want a world where DANE validates most certificates, and only a
>> few root certificates are needed for things like banks where EV
>> certificates are a must.
>>
>> DANE as a way to validate S/MIME I think will be a godsend to e-mail
>> security, I hope clients implement it.
>> _______________________________________________
>> CentOS mailing list
>> [hidden email]
>> https://lists.centos.org/mailman/listinfo/centos
>
> _______________________________________________
> CentOS mailing list
> [hidden email]
> https://lists.centos.org/mailman/listinfo/centos
>

_______________________________________________
CentOS mailing list
[hidden email]
https://lists.centos.org/mailman/listinfo/centos
Reply | Threaded
Open this post in threaded view
|

Re: [CentOS] Simple OCSP server ??

Alice Wonder
Oh I don't know, their github works.

However it seems that it isn't able to deal with more than one ocsp
signing key.

On 04/16/2017 08:40 AM, Robert Moskowitz wrote:

>
>
> On 04/14/2017 10:41 PM, Alice Wonder wrote:
>> https://www.openca.org/ might fit my needs.
>
> their Centos repo does not exist, it seems?
>
>>
>> On 04/14/2017 06:29 PM, Alice Wonder wrote:
>>> Hello list,
>>>
>>> I'm contemplating running my own CA to implement the new proposed ISP
>>> for validation of S/MIME certificates via DANE.
>>>
>>> I already use self-signed for my MX servers (with 3 1 1 dane records on
>>> TCP port 25) but I don't want to use self-signed for S/MIME for user
>>> specific x.509 certs because
>>>
>>> A) That's potentially a lot of DNS records
>>> B) That requires a hash of the e-mail addresses in DNS
>>>
>>> Instead, I will be using a wildcard in DNS with an intermediary that
>>> signs the user x.509 certificates.
>>>
>>> Using an intermediary to sign their certificates though means I can't
>>> just revoke their certificates by removing the DNS certificate, I'll
>>> need to provide an OCSP server for when one of their private keys gets
>>> compromised.
>>>
>>> I found
>>> https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Deploy_and_Install_Guide/install-oscp.html
>>>
>>> but it looks like that is intended for enterprise, more complex than I
>>> need.
>>>
>>> Anyone know of a good simple script for providing OCSP ??
>>>
>>> -=-
>>>
>>> Not relevant to question but just important for me to note, I will *not*
>>> be asking people to install my root certificate in their e-mail clients.
>>> I think it is a bad practice to get users in the habit of installing
>>> root certificates.
>>>
>>> I think the PKI system has way way way to many root certificates as it
>>> is. I want a world where DANE validates most certificates, and only a
>>> few root certificates are needed for things like banks where EV
>>> certificates are a must.
>>>
>>> DANE as a way to validate S/MIME I think will be a godsend to e-mail
>>> security, I hope clients implement it.
>>> _______________________________________________
>>> CentOS mailing list
>>> [hidden email]
>>> https://lists.centos.org/mailman/listinfo/centos
>>
>> _______________________________________________
>> CentOS mailing list
>> [hidden email]
>> https://lists.centos.org/mailman/listinfo/centos
>>
>
> _______________________________________________
> CentOS mailing list
> [hidden email]
> https://lists.centos.org/mailman/listinfo/centos

_______________________________________________
CentOS mailing list
[hidden email]
https://lists.centos.org/mailman/listinfo/centos
Reply | Threaded
Open this post in threaded view
|

Re: [CentOS] Simple OCSP server ??

Robert Moskowitz
What about the pki package that comes with Centos?

pki-server and pki-ca?

On 04/16/2017 11:54 AM, Alice Wonder wrote:

> Oh I don't know, their github works.
>
> However it seems that it isn't able to deal with more than one ocsp
> signing key.
>
> On 04/16/2017 08:40 AM, Robert Moskowitz wrote:
>>
>>
>> On 04/14/2017 10:41 PM, Alice Wonder wrote:
>>> https://www.openca.org/ might fit my needs.
>>
>> their Centos repo does not exist, it seems?
>>
>>>
>>> On 04/14/2017 06:29 PM, Alice Wonder wrote:
>>>> Hello list,
>>>>
>>>> I'm contemplating running my own CA to implement the new proposed ISP
>>>> for validation of S/MIME certificates via DANE.
>>>>
>>>> I already use self-signed for my MX servers (with 3 1 1 dane
>>>> records on
>>>> TCP port 25) but I don't want to use self-signed for S/MIME for user
>>>> specific x.509 certs because
>>>>
>>>> A) That's potentially a lot of DNS records
>>>> B) That requires a hash of the e-mail addresses in DNS
>>>>
>>>> Instead, I will be using a wildcard in DNS with an intermediary that
>>>> signs the user x.509 certificates.
>>>>
>>>> Using an intermediary to sign their certificates though means I can't
>>>> just revoke their certificates by removing the DNS certificate, I'll
>>>> need to provide an OCSP server for when one of their private keys gets
>>>> compromised.
>>>>
>>>> I found
>>>> https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Deploy_and_Install_Guide/install-oscp.html 
>>>>
>>>>
>>>> but it looks like that is intended for enterprise, more complex than I
>>>> need.
>>>>
>>>> Anyone know of a good simple script for providing OCSP ??
>>>>
>>>> -=-
>>>>
>>>> Not relevant to question but just important for me to note, I will
>>>> *not*
>>>> be asking people to install my root certificate in their e-mail
>>>> clients.
>>>> I think it is a bad practice to get users in the habit of installing
>>>> root certificates.
>>>>
>>>> I think the PKI system has way way way to many root certificates as it
>>>> is. I want a world where DANE validates most certificates, and only a
>>>> few root certificates are needed for things like banks where EV
>>>> certificates are a must.
>>>>
>>>> DANE as a way to validate S/MIME I think will be a godsend to e-mail
>>>> security, I hope clients implement it.
>>>> _______________________________________________
>>>> CentOS mailing list
>>>> [hidden email]
>>>> https://lists.centos.org/mailman/listinfo/centos
>>>
>>> _______________________________________________
>>> CentOS mailing list
>>> [hidden email]
>>> https://lists.centos.org/mailman/listinfo/centos
>>>
>>
>> _______________________________________________
>> CentOS mailing list
>> [hidden email]
>> https://lists.centos.org/mailman/listinfo/centos
>
> _______________________________________________
> CentOS mailing list
> [hidden email]
> https://lists.centos.org/mailman/listinfo/centos
>

_______________________________________________
CentOS mailing list
[hidden email]
https://lists.centos.org/mailman/listinfo/centos