[Summit] getting organized

Dave Cridland dave at cridland.net
Tue Jun 22 01:04:00 CDT 2010


On Mon Jun 21 23:54:02 2010, Bruce Campbell wrote:
> 
> On Mon, 21 Jun 2010, Dave Cridland wrote:
> 
>> On Mon Jun 21 17:39:46 2010, bear wrote:
>>> Having some certs handy and a CA would be perfect, even if only  
>>> remote
>>> - that is the kind of thing that will cause interop testing to  
>>> grind
>>> to a very slow pace as everyone suddenly realizes what is needed.
>>> 
>>> 
>> No problem, I'll commit (on behalf of Isode) to having at minimum  
>> two (private, closed, temporary) CAs setup. We'll be able to issue  
>> certificates based on PKCS#10 CSRs, or else just create a PKCS#12  
>> anew (which is insecure for obvious reasons, but fine for interop).
>> 
>> We can generate various forms of SubjectAltName, including  
>> sRVName, xmppAddr, and dNSName, and we can have "traditional"  
>> SubjectNames (ie, hostname as CN) as well as following the strict  
>> X.500 spec on those.
>> 
>> It's very much harder to generate things like expired  
>> certificates, but I'll ask the X.509 team at Isode about that, and  
>> other interesting failure cases we might want to test.
> 
> Easiest might be to have one of the CAs running with a day-off  
> clock. Another to-be-tested thing would be the proper handling of  
> revoked certs via CRLs.

Yes, I could setup a CA in a VM with a day (or year) out clock, and  
yes, CRLs and revocation are easy to do (although we don't have any  
SCVP/OSCP server code).

Revocation is probably the more interesting thing to test.

Dave.
-- 
Dave Cridland - mailto:dave at cridland.net - xmpp:dwd at dave.cridland.net
  - acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
  - http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade


More information about the Summit mailing list