GnuPG sub-keys revocation
My current GnuPG key schema is the one recommended in OpenPGP Best Practices and many other sources. It consists in one offline master key plus a set of sub-keys for day-to-day operations stored inside an smart card.
Collaborate Disseminate
My current GnuPG key schema is the one recommended in OpenPGP Best Practices and many other sources. It consists in one offline master key plus a set of sub-keys for day-to-day operations stored inside an smart card.
I would like to better understand the implications of maintaining a long lived (hours, days) TLS connection with respect to certificate revocation. As I understand TLS, the client verifies the server’s certificate during the … Continue reading Do long lived TLS connections pose a security risk?
In our environment, we provide user certificates to sign or encrypt emails. This is an internal setting, meaning the CA is internal to our organization (not a public CA) and handled by our Active Directory PKI.
User certific… Continue reading User mail certificates policy: Is expiration+renewal better than no-expiration+revocation?
As far as I can tell (ssllabs.com / ssldecoder.org) the certificate for www.sarahah.com has been revoked:
Serial C1:18:2F:1A:91:A9:0E:03
CRL – Revoked on CRL: http://crl.godaddy.com/gdig2s1-792.crl
Revocation date: Mar 1 1… Continue reading Revoked cert not showing revoked in Chrome 64.0.3282.186
RFC 5280 says:
“The removeFromCRL (8) reasonCode value may only appear in delta CRLs and indicates that a certificate is to be removed from a CRL because either the certificate expired or was removed from hold.”
My question… Continue reading Certificate revocation with reason code removeFromCRL
I am reading a bit on the certificate transparancy project initiazed by google. (More info at http://www.certificate-transparency.org), this technology tries to introduce transparency in the creation of CA certificates. Their… Continue reading What is the status of Certificate Transparency?
There are countless “how-to” articles and best practices recommending use of an offline root certificate authority (CA). Though as the title suggests, is this recommendation obsolete?
The context of my question is for small to medium ente… Continue reading Is the Offline Root CA Obsolete?
I made a mistake several years ago by uploading OpenSSL certificate key (.pem and .pk8) into a blog post. The key was used to sign Android apk using SignApk.jar tool. Someone took it and used the key to sign malware apps and … Continue reading Certificate and key abuse
In a recent online course, an instructor stated:
Once you’ve created a certificate, eventually you are going to have to
revoke it, and even if that’s just to renew it, really, I mean if you
have created a certificate… Continue reading Are all (or most) expired certificates issued by 3rd party certificate authorities also marked as revoked?
Suppose I have a certificate sha-256 fingerprint, which I can obtain say visiting the relevant domain in firefox or from a shell script using openssl, and i want to verify this fingerprint. one option is to look up the domain… Continue reading ways to check a certificate fingerprint against known logs