[Pki-users] Questions on customizing certificate profiles

Arshad Noor arshad.noor at strongauth.com
Thu Apr 8 22:25:24 UTC 2010 

I am sorry to read this, Kevin.  It suggests that RedHat has
forgotten its open-source roots and what made it a billion
dollar company in the first place.

We are all familiar with the **** that companies put up with
when buying some commercial products.  Open-source was meant
to be an answer to that problem - that quality could be vastly
improved in software when there were many eyes looking at the
source - not because some people just like the idea of seeing
the source-code of the products they use.

That RedHat was making money on services off of open-source
products was perfectly acceptable - there is real value in
services.  But, when the open-source company starts
differentiating its open-source products from its commercial
products, it subverts the whole notion of open-source and what
it stands for.

If the fix did not exist and it was up to the open-source
community to prioritize the fix, that's one thing.  But when
the fix *does* exist, and has been merged into the commercial
branch, but is not merged into the open-source branch - that
suggests deliberate manipulation of the trust and goodwill of
the open-source community.

Arshad Noor
StrongAuth, Inc.


Kevin Unthank wrote:
> Hi Arshad,
> 
> Obviously, there are differences between RHCS8 and the latest release
> of Dogtag. Generally, new feature development takes place in dogtag
> and some of those features find there way back into RHCS8. Bug fixing
> often occurs first in RHCS8 and those fixes are ported to dogtag.
> 
> PKI with only SHA-2 hashes is a fix that was made in the RHCS8
> code tree and released in both source binary form in errata
> RHBA-2009-1602. That fix will make it into dogtag builds but I can't
> commit to a specific release or date when this will happen.
> 
> Until then it should be possible to work around the problem by using
> pkisilent or the renewal method suggested by Andrew.
> 
> Cheers,
> Kev
> 
> On 04/08/2010 10:55 AM, Arshad Noor wrote:
>> Can someone from the DogTag Engineering team confirm that a PKI
>> with only SHA-2 hashes *cannot* be built with the current version
>> of the product?
>>
>> I find this hard to believe given that the RHCS documentation seems
>> to indicate that it is possible to do so, and given that the
>> underlying code already has SHA-2 support; nevertheless, can someone
>> confirm Oliver's finding? Thanks.
>>
>> Arshad Noor
>> StrongAuth, Inc.
>>
>> P.S. Since the RHCS 8.0 documentation does state that SHA-2 hashes
>> can be configured at the time the self-signed cert is created, does
>> that imply that the commercial RHCS is technologically different from
>> the open-source DogTag? And, that it isn't just a question of RedHat
>> support?
>>
>>
>> Oliver Burtchen wrote:
>>> Hi @ all,
>>>
>>> I also tried to change from "SHA1withRSA" to "SHA256withRSA" by
>>> editing the config files. No luck!
>>>
>>> I found, this is hard-coded in the sources, for example in:
>>>
>>> - pki-common-1.3.2/src/com/netscape/cms/servlet/csadmin/SizePanel.java
>>> - pki-common-1.3.2//src/com/netscape/cmscore/security/CASigningCert.java
>>>
>>> Just look for "SHA1withRSA" in the files, I don't think this are just
>>> fallbacks.
>>> Best regards,
>>> Oli
>>>
>>>
>>>
>>> Am Mittwoch, 7. April 2010 03:27:04 schrieb Chandrasekar Kannan:
>>>> On 04/06/2010 05:08 PM, Arshad Noor wrote:
>>>>> The only option that is visible under Advanced is the key-size
>>>>> for each of the certificate-types. The hash algorithm does not
>>>>> show up at all.
>>>>>
>>>>> Even the default, as mentioned by Step 8, is not the default as
>>>>> the last 10-12 installs have shown:
>>>>>
>>>>> * SHA256withRSA (the default)
>>>>>
>>>>> So, the question is: is the current build of DogTag in the pki
>>>>> repository identical to RHCS 8.0 or is it a different version?
>>>> It might very well be ... we can look at the svn commits
>>>> to be really sure...
>>>>
>>>>> Arshad Noor
>>>>> StrongAuth, Inc.
>>>>>
>>>>> Chandrasekar Kannan wrote:
>>>>>> the installation wizard should provide 'options' under the advanced
>>>>>> section for you to be able to select the alg to use. Have you tried
>>>>>> doing Step (8) from here ?
>>>>>> http://www.redhat.com/docs/manuals/cert-system/8.0/install/html/Configur 
>>>>>>
>>>>>>
>>>>>> ing_a_CA.html
>>>> _______________________________________________
>>>> Pki-users mailing list
>>>> Pki-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/pki-users
>>>>
>>>
>>
>> _______________________________________________
>> Pki-users mailing list
>> Pki-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-users

More information about the Pki-users mailing list