Sun 17 Jul 2005
Certificate Signing - Dead End
Category : Technology/chainOfTrust.txt
I'm going to wrap up my exploration of digital certificate signing, at least for a while until I get better ideas, but this is why I think I've hit a dead end.
According to the man page on the OpenSSL verify command, which is used to verify that a cert is OK all the way up its trust chain, one of the checks it does is to make sure that the issuer of a cert is actually allowed to sign certs :
So, the freessl cert that I bought, which I was hoping will allow me to sign certs in turn for Hai Hwee, Bee Khim, Brendan, etc..., does not include cert signing among its allowed uses.
So I think it's not the technology. We've got everything there in OS X, under the OpenSSL umbrella of commands, to do it - , i.e., sign certs as a valid intermediate Certification Authority, so long as we have a valid cert that will allow us to establish that "chain of trust". Whatever limitations now are man-made.
This is what irks me about the whole SSL, digital certs thing. It does use some relatively esoteric Unix incantations but it's all clearly understandable. The first time I bought a Verisign cert, I was awed by all this PKI "our facility is protected by seven rings of security" thing. But you could do all this on your Mac.
We need digital signatures and message encryption more than we need these guys to insert themselves into the "Chain of Trust".
Airport Base Station Firmware Update Warning
Category : Technology/AEBSFirmwareUpdateWoes.txt
I've tried to connect my "old" Airport Extreme base station (the one that went PPoE dead after the firmware 5.6 update) to the broadband modem and again it fails to connect to PPoE. But it worked fine at Hai Hwee's house after a hard reset.
So now, I'm not sure if it has somehow acquired an incompatibility with the Efficient Speedstream 5250 ADSL modem or is it with Singnet itself. Hai Hwee's house is on PacNet, using an Aztech DSL 305E modem.
Anyway, this is a warning for Singapore-based users. Think twice before you do that 5.6 firmware update.
Category : Technology/thawte.txt
Right after making that last post, I realised I forgot to mention Thawte. You can get a free cert for use with mail from Thawte, as did almost everyone who has ever sent me signed messages.
But the Thawte application is a tortuous process. After about ten pages, I get to the page to download my cert and hit a ".exe cannot be downloaded" error. Seems like you've got to use Mozilla download it but the page warns that you've got to use the same browser throughout the whole process. I remember vaguely that I've done this before. It's the .exe that shuts my brain.
There's got be a more Mac-like way.
There should be this democratisation of the process. Buy a cert for each company or organisation and then use it to vouch for the people in it, using tools like the Certificate Assistant.
Maybe Apple should get into this business and offer certs as part of the .Mac experience and tie it into the Certificate Assistant, because frankly, if I have to pay for a cert each year, it makes no difference whether I pay freessl or Apple, so it might as well go to Apple.
WebMon, SSL, Mail, and Digital Certificates
Category : Technology/sslUpdates.txt
Just some updates about WebMon and SSL.
I'm almost done with the interface. I'm able to get WebMon to generate a certificate request (a CSR in SSL parlance) and display the block of text containing that CSR, so that the user can paste that into his application at one of the certification authorities.
I just need to wrap it up by providing an interface for the user to paste the returned certificate, so that WebMon can copy that to the right location and restart the server.
I've been experimenting Apple's very excellent Certificate Assistant (that comes with Tiger's new Keychain Access application), but I think that serves a more mail client-centric need.
If you use WebMon's SSL-enabler, you should be able to set the web server up for SSL, and get the certs and keys stashed into all the right places in one fell swoop. Or at least that's what I hope I could do.
But, back to the Certificate Assistant. I think it's very well thought out. I've used something similar in Windows 2000 (I haven't thought about Windows in ages) but Apple's implementation is better.
I now know how the process works, both via Certificate Assistant, as well as manually via the OpenSSL commands. But I still haven't found the answer to the question : if I have a valid live SSL cert, can I use it to sign other certificates so that other mail clients don't complain when they receive mail from all of us here at cutedgesystems.com? (- because currently I could only use a self-signed cert, and that is not linked to the so-called "chain of trust" - unless I know how to bring the live cert into the equation).
Currently, Certificate Assistant works with self-signed certs. If I make myself a Certification Authority, I can't issue a cert for Hai Hwee, say, and link that all the way back to the root certificate used by freessl.com, even though I, as the sub-level Certification Authority, has a valid certificate from freessl.com.
I've been banging my head over this the last couple of days. Sending mail without signing and encrypting it is, like someone said, sending business information using postcards, for everyone to read who handles its delivery. We really need to get to this next stage of e-mail usage. And the process has got to be simpler and cheaper than it is now.
Airport 4.2 and Airport Base Station 5.6 Updates
Category : Technology/airport5dot6firmware.txt
I applied the Airport Base Station 5.6 Firmware Update and it stopped being able connect to the broadband modem. So for a couple of sessions over the weekend, we were off the air (or blogosphere) for about half an hour each.
If you're trying to get here and couldn't connect, that was the cause.
Fortunately I have a spare base station somewhere else. While I went to retrieve it, we were running the server directly off the broadband modem, and using the server's Airport card to share its connection with the other machines on our network.
And I was thinking about how things still work while we're getting flustered. At times like these, you can't think, you just want to get back up as quickly as possible. And thankfully, just three clicks later, we've got server's Airport card sharing its broadband connection to everybody else on the network. So our Disaster Recovery Standard Operating Procedure (SOP) works.
I'm now running the system off the spare base station. As for the "spoilt" one, we went over to Hai Hwee's house, did a hardware reset, and found that it worked again on her broadband connection. So I'm going to switch everything back, later today, at about three or four in the afternoon, when my server's at its quietest time of the day.