[Summit] getting organized
dave at cridland.net
Tue Jun 22 01:04:00 CDT 2010
On Mon Jun 21 23:54:02 2010, Bruce Campbell wrote:
> On Mon, 21 Jun 2010, Dave Cridland wrote:
>> On Mon Jun 21 17:39:46 2010, bear wrote:
>>> Having some certs handy and a CA would be perfect, even if only
>>> - that is the kind of thing that will cause interop testing to
>>> to a very slow pace as everyone suddenly realizes what is needed.
>> No problem, I'll commit (on behalf of Isode) to having at minimum
>> two (private, closed, temporary) CAs setup. We'll be able to issue
>> certificates based on PKCS#10 CSRs, or else just create a PKCS#12
>> anew (which is insecure for obvious reasons, but fine for interop).
>> We can generate various forms of SubjectAltName, including
>> sRVName, xmppAddr, and dNSName, and we can have "traditional"
>> SubjectNames (ie, hostname as CN) as well as following the strict
>> X.500 spec on those.
>> It's very much harder to generate things like expired
>> certificates, but I'll ask the X.509 team at Isode about that, and
>> other interesting failure cases we might want to test.
> Easiest might be to have one of the CAs running with a day-off
> clock. Another to-be-tested thing would be the proper handling of
> revoked certs via CRLs.
Yes, I could setup a CA in a VM with a day (or year) out clock, and
yes, CRLs and revocation are easy to do (although we don't have any
SCVP/OSCP server code).
Revocation is probably the more interesting thing to test.
Dave Cridland - mailto:dave at cridland.net - xmpp:dwd at dave.cridland.net
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade
More information about the Summit