public-key-infrastructure – WindowsTechs.com

Intermediate issuer field didn’t match its CA subject field

Posted on December 12, 2024 by whitenoisedb

While debugging yesterday’s Cloudflare incident, I found out their intermediate certificate issuer field differ from its signing CA subject, despite the AKI/SKI were correct.
Here’s the relevant CA info,
❯ openssl x509 -noout -text -in ~/D… Continue reading Intermediate issuer field didn’t match its CA subject field→

Intermediate issuer field didn’t match its CA subject field

Posted on December 12, 2024 by whitenoisedb

where is the "DNS Format" for private keys described?

Posted on December 4, 2024 by neubert

RFC6605: Elliptic Curve Digital Signature Algorithm (DSA) for DNSSEC has this example of a P-256 key:
Private-key-format: v1.2
Algorithm: 13 (ECDSAP256SHA256)
PrivateKey: GU6SnQ/Ou+xC5RumuIUIuJZteXT2z0O/ok1s38Et6mQ=

example.ne… Continue reading where is the "DNS Format" for private keys described?→

How to determine hashing algorithm of a public key in the certificate?

Posted on December 2, 2024 by olkhovskiiooo

The certificate has the fields Signature algorithm and Signature hash algorithm, which determine what algorithm the certificate was signed with, and Public key, which determines what algorithm the information will be signed with, but how c… Continue reading How to determine hashing algorithm of a public key in the certificate?→

Best Practices for WebAuthn FIDO2 reset

Posted on November 4, 2024 by wahok

Security Noob here. I am trying to build a secure passwordless login mechanism for my webservice.
The authentication mechanisms
My idea is to encourage the users to use the following two login methods:

WebAuthn with a FIDO2 token (ideally… Continue reading Best Practices for WebAuthn FIDO2 reset→

Is it possible to store or import an external private key into a TPM?

Posted on October 27, 2024 by Ori Frish

Let’s assume I have 3 computers, each with its embedded TPM. I also have a pair of asymmetric keys, which I created elsewhere. I want to store & import the same external private key I have created onto the TPM of each of the 3 computer… Continue reading Is it possible to store or import an external private key into a TPM?→

ECDH Certificate Signing

Posted on September 27, 2024 by Rowan Smith

Is their a recommended RFC standard way to sign an ECDH certificate?
Given that the ECDH Private Key is not intended for digitalSignatures it seems wrong to sign a CSR with it’s own Private Key.
It would seem logical that another trusted c… Continue reading ECDH Certificate Signing→

Why is JWT claim x5t (thumbprint) useful?

Posted on September 23, 2024 by RokL

If I sign JWT (as per JWS spec) with a private key, the receiver of JWT will want to validate the signature and they need public key to do that.
The public key can be "baked" into the app validating or it can be retrieved from an… Continue reading Why is JWT claim x5t (thumbprint) useful?→

Certificate/key revocation

Posted on August 27, 2024 by somehybrid

Systems like Certificate Transparency and Key transparency store trees of keys/certificates. How would a user be able to remove a fraudulent/expired key or certificate? Do the trees stay the same and a separate list of revoked keys/certifi… Continue reading Certificate/key revocation→

openssl tar download, verifying the signature [closed]

Posted on August 20, 2024 by Tom Griffith

I was looking to verify the digital signature (if any) on the openssl3.3.1.tar.gz download from OpenSSL. The "PGP sign" link has nothing behind it (thought it’d have an asc or sig file).
I was able to checksum the hash on the dow… Continue reading openssl tar download, verifying the signature [closed]→