Hello list, I'm contemplating running my own CA to implement the new proposed ISP for validation of S/MIME certificates via DANE. I already use self-signed for my MX servers (with 3 1 1 dane records on TCP port 25) but I don't want to use self-signed for S/MIME for user specific x.509 certs because A) That's potentially a lot of DNS records B) That requires a hash of the e-mail addresses in DNS Instead, I will be using a wildcard in DNS with an intermediary that signs the user x.509 certificates. Using an intermediary to sign their certificates though means I can't just revoke their certificates by removing the DNS certificate, I'll need to provide an OCSP server for when one of their private keys gets compromised. I found https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Deploy_and_Install_Guide/install-oscp.html but it looks like that is intended for enterprise, more complex than I need. Anyone know of a good simple script for providing OCSP ?? -=- Not relevant to question but just important for me to note, I will *not* be asking people to install my root certificate in their e-mail clients. I think it is a bad practice to get users in the habit of installing root certificates. I think the PKI system has way way way to many root certificates as it is. I want a world where DANE validates most certificates, and only a few root certificates are needed for things like banks where EV certificates are a must. DANE as a way to validate S/MIME I think will be a godsend to e-mail security, I hope clients implement it.
https://www.openca.org/ might fit my needs. On 04/14/2017 06:29 PM, Alice Wonder wrote:> Hello list, > > I'm contemplating running my own CA to implement the new proposed ISP > for validation of S/MIME certificates via DANE. > > I already use self-signed for my MX servers (with 3 1 1 dane records on > TCP port 25) but I don't want to use self-signed for S/MIME for user > specific x.509 certs because > > A) That's potentially a lot of DNS records > B) That requires a hash of the e-mail addresses in DNS > > Instead, I will be using a wildcard in DNS with an intermediary that > signs the user x.509 certificates. > > Using an intermediary to sign their certificates though means I can't > just revoke their certificates by removing the DNS certificate, I'll > need to provide an OCSP server for when one of their private keys gets > compromised. > > I found > https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Deploy_and_Install_Guide/install-oscp.html > but it looks like that is intended for enterprise, more complex than I > need. > > Anyone know of a good simple script for providing OCSP ?? > > -=- > > Not relevant to question but just important for me to note, I will *not* > be asking people to install my root certificate in their e-mail clients. > I think it is a bad practice to get users in the habit of installing > root certificates. > > I think the PKI system has way way way to many root certificates as it > is. I want a world where DANE validates most certificates, and only a > few root certificates are needed for things like banks where EV > certificates are a must. > > DANE as a way to validate S/MIME I think will be a godsend to e-mail > security, I hope clients implement it. > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos
On 04/14/2017 10:41 PM, Alice Wonder wrote:> https://www.openca.org/ might fit my needs.their Centos repo does not exist, it seems?> > On 04/14/2017 06:29 PM, Alice Wonder wrote: >> Hello list, >> >> I'm contemplating running my own CA to implement the new proposed ISP >> for validation of S/MIME certificates via DANE. >> >> I already use self-signed for my MX servers (with 3 1 1 dane records on >> TCP port 25) but I don't want to use self-signed for S/MIME for user >> specific x.509 certs because >> >> A) That's potentially a lot of DNS records >> B) That requires a hash of the e-mail addresses in DNS >> >> Instead, I will be using a wildcard in DNS with an intermediary that >> signs the user x.509 certificates. >> >> Using an intermediary to sign their certificates though means I can't >> just revoke their certificates by removing the DNS certificate, I'll >> need to provide an OCSP server for when one of their private keys gets >> compromised. >> >> I found >> https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Deploy_and_Install_Guide/install-oscp.html >> >> but it looks like that is intended for enterprise, more complex than I >> need. >> >> Anyone know of a good simple script for providing OCSP ?? >> >> -=- >> >> Not relevant to question but just important for me to note, I will *not* >> be asking people to install my root certificate in their e-mail clients. >> I think it is a bad practice to get users in the habit of installing >> root certificates. >> >> I think the PKI system has way way way to many root certificates as it >> is. I want a world where DANE validates most certificates, and only a >> few root certificates are needed for things like banks where EV >> certificates are a must. >> >> DANE as a way to validate S/MIME I think will be a godsend to e-mail >> security, I hope clients implement it. >> _______________________________________________ >> CentOS mailing list >> CentOS at centos.org >> https://lists.centos.org/mailman/listinfo/centos > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos >