Bitcoin Forum
August 01, 2021, 03:27:03 PM *
News: Latest Bitcoin Core release: 0.21.1 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Clarification as to how the CA system can now be trusted  (Read 794 times)
CIYAM
Legendary
*
Offline Offline

Activity: 1890
Merit: 1004


Ian Knowles - CIYAM Lead Developer


View Profile WWW
September 26, 2013, 04:51:23 PM
Last edit: September 26, 2013, 05:44:48 PM by CIYAM Open
 #1

I've read in recent posts regarding the new payment system being integrated into the next version of Bitcoin that we can now trust the CA private keys to be *unknown* to anyone but the cert owner.

As an *owner* of a CA cert where the private key was *not* created by myself (which would be the case for most people unless they are using self-signed certs AFAIA) how exactly does one obtain such a cert (as clearly my own cert now needs to be changed)?

Like most website owners I purchased a cert - and there was no option for me to provide the public key - instead I was given a link to download the private key (so I would be about 99% sure that the NSA has or can get a copy of that key).

With CIYAM anyone can create 100% generated C++ web applications in literally minutes.

GPG Public Key | 1ciyam3htJit1feGa26p2wQ4aw6KFTejU
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1627831623
Hero Member
*
Offline Offline

Posts: 1627831623

View Profile Personal Message (Offline)

Ignore
1627831623
Reply with quote  #2

1627831623
Report to moderator
phillipsjk
Legendary
*
Offline Offline

Activity: 1008
Merit: 1000

Let the chips fall where they may.


View Profile WWW
September 26, 2013, 05:18:16 PM
 #2

My webhost/registrar that has not updated their website since 1999 allows you to generate your own certs.
http://www.reg.ca/certificate.html
Can't find the form off-hand.

Bottom line is that your Certificate Authority should never have the private key for your webserver (unless they are also your webhost). If your CA does not allow you to generate you own Certs for signing, Drop them like a hot potato and black-list them in the web-browser. Then come here and tell us who they are so we can black-list them in our web-browsers.

Edit: maybe I should just go ahead and blacklist the cloudflare CA.

James' OpenPGP public key fingerprint: EB14 9E5B F80C 1F2D 3EBE  0A2F B3DE 81FF 7B9D 5160
CIYAM
Legendary
*
Offline Offline

Activity: 1890
Merit: 1004


Ian Knowles - CIYAM Lead Developer


View Profile WWW
September 26, 2013, 05:21:27 PM
 #3

Bottom line is that your Certificate Authority should never have the private key for your webserver (unless they are also your webhost). If your CA does not allow you to generate you own Certs for signing, Drop them like a hot potato and black-list them in the web-browser. Then come here and tell us who they are so we can black-list them in our web-browsers.

Cert was from RapidSSL (signed by Geo-Trust) - as stated there was simply *no option* to provide a public key.

It was purchased from my VPS provider (so should I bring this up with them?).

With CIYAM anyone can create 100% generated C++ web applications in literally minutes.

GPG Public Key | 1ciyam3htJit1feGa26p2wQ4aw6KFTejU
phillipsjk
Legendary
*
Offline Offline

Activity: 1008
Merit: 1000

Let the chips fall where they may.


View Profile WWW
September 26, 2013, 05:24:05 PM
Last edit: September 26, 2013, 05:39:13 PM by phillipsjk
 #4

You don't provide a private key. You provide your public key. Your private key is used to prove control over your web-server.

You send the the public key in the generate CSR step:
Quote from: RapidSSL
Enter CSR
 

After generating your server's Certificate Signing Request as described in Generate CSR, paste the CSR in the form below. Please make sure that it contains the complete header and footer "BEGIN" and "END" lines exactly as in the example below.

      SAMPLE ONLY

-----BEGIN NEW CERTIFICATE REQUEST-----
MIIDCjCCAnMCAQAwdTEZMBcGA1UEAxMQaG9zdC5kb21haW4ubmFtZTEVM
BMGA1UECxMMT3JnYW5pemF0aW9uMRUwEwYDVQQKEwxPcmdhbml6YXRpb2
4xDTALBgNVBAcTBENpdHkxDjAMBgNVBAgTBVN0YXRlMQswCQYDVQQGEwJ
VUzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAyZ1dYomQ4jhSr6f
G3GYxjS4B837+y3A6xIM9OVXV4ZnSIe9nOLHgdksQJpwaQeOZwWeqifte
hrJ/s55PvPxok+Tqq0t7BfMkkUSuiYnFdUo1OpDPdw3cEaP9WWSrduouI
Vnq2AWTDw2ykyxKg6neb2vYTZRvbot7M578Vvh6P8CAwEAAaCCAVMwGgY
KKwYBBAGCNw0CAzEMFgo1LjAuMjE5NS4yMDUGCisGAQQBgjcCAQ4xJzAl
MA4GA1UdDwEB/wQEAwIE8DATBgNVHSUEDDAKBggrBgEFBQcDATCB/QYKK
wYBBAGCNw0CAjGB7jCB6wIBAR5aAE0AaQBjAHIAbwBzAG8AZgB0ACAAUg
BTAEEAIABTAEMAaABhAG4AbgBlAGwAIABDAHIAeQBwAHQAbwBnAHIAYQB
wAGgAaQBjACAAUAByAG8AdgBpAGQAZQByA4GJACB3C0g9psK0+V+N/Me1
JsG39vonCPQBdOwNp6zHJSPCU3FwQ0SgFpEQNy6HEn79I0CMrU93q9Hh1
TQtd2YU6lWHQunXrIcytmAFVjhibNX6Dp1e41Wjc2N4ilJyy1GFss686c
dZt2GP6y04I74/OvkW2Wf9nezUrMrESM2PP4B1AAAAAAAAAAAwDQYJKoZ
IhvcNAQEFBQADgYEAg4+QHTvkP5CG+WcGnrhKiMkJnMP6QEsds40obUDS
dGtEupQz8C+4xoMd1aM68q9Ri6Va+JTeuhKHxLz9hT/KUJhNBy0sRfnx+
JkQdrKG69UanTwvLqXINh9xChw9ErIto/2kZI5kl2KYQdiOqTv6p0GEUP
Rq/MD52Zy3bOzSRF0=
-----END NEW CERTIFICATE REQUEST-----

Edit: I went through the steps of generating a more expensive wild-card cert.

James' OpenPGP public key fingerprint: EB14 9E5B F80C 1F2D 3EBE  0A2F B3DE 81FF 7B9D 5160
CIYAM
Legendary
*
Offline Offline

Activity: 1890
Merit: 1004


Ian Knowles - CIYAM Lead Developer


View Profile WWW
September 26, 2013, 05:25:50 PM
 #5

You don't provide a private key. You provide your public key. Your private key is used to prove control over your web-server.

Oops - typo (edited to fix - my bad) - I do understand how key pairs work - but again no choice was offered.

I did wonder about the security of this after I bought it (and the lack of any instructions to use OpenSSL to create a private key).

Am pretty sure I would not be the only one in the same boat (although it was admittedly the first time I've bought a cert - prior to that I just created self-signed certs).

With CIYAM anyone can create 100% generated C++ web applications in literally minutes.

GPG Public Key | 1ciyam3htJit1feGa26p2wQ4aw6KFTejU
CIYAM
Legendary
*
Offline Offline

Activity: 1890
Merit: 1004


Ian Knowles - CIYAM Lead Developer


View Profile WWW
September 26, 2013, 05:41:38 PM
 #6

Stupid post - I must have deleted some brain cells (I would blame Chinese wine for that) - yes indeed I did create the key pair (your post update instantly reminded me that I went through that step).

Must have not kept any record of it so I ended up confusing myself (all the conspiracy stuff since the PRISM thing has perhaps got me a bit paranoid).

Okay - some trust has now been restored (thanks).

Will lock this topic now.

With CIYAM anyone can create 100% generated C++ web applications in literally minutes.

GPG Public Key | 1ciyam3htJit1feGa26p2wQ4aw6KFTejU
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!