similar to: [Fwd: Re: https and self signed]

On Fri, June 17, 2016 12:31, Valeri Galtsev wrote: > > On Fri, June 17, 2016 10:19 am, James B. Byrne wrote: > >> Keys issued to individuals certainly should have short time limits >> on them. In the same way that user accounts on systems should >> always have a near term expiry date set. People are careless. >> And their motivations are subject to change. >

On Thu, June 16, 2016 14:23, Valeri Galtsev wrote: > > On Thu, June 16, 2016 1:09 pm, Gordon Messmer wrote: >> >> I doubt that most users check the dates on SSL certificates, >> unless they are familiar enough with TLS to understand that >> a shorter validity period is better for security. > > Oh, this is what he meant: Cert validity period. Though I agree >

On Fri, 2016-06-17 at 15:56 +0100, Michael H wrote: > On 17/06/16 15:46, James B. Byrne wrote: > > > > We operate a private CA for our domain and have since 2005. We > > maintain a public CRL strictly in accordance with our CPS and have our > > own OID assigned. Our CPS and CRL together with our active, expired > > and revoked certificate inventory is

On Fri, June 17, 2016 10:19 am, James B. Byrne wrote: > > On Thu, June 16, 2016 14:23, Valeri Galtsev wrote: >> >> On Thu, June 16, 2016 1:09 pm, Gordon Messmer wrote: >>> >>> I doubt that most users check the dates on SSL certificates, >>> unless they are familiar enough with TLS to understand that >>> a shorter validity period is better for

On Thu, June 16, 2016 13:53, Walter H. wrote: > On 15.06.2016 16:17, Warren Young wrote: >> but it also affects the other public CAs: you can???t get a >> publicly-trusted cert for a machine without a publicly-recognized >> and -visible domain name. For that, you still need to use >> self-signed certs or certs signed by a private CA. >> > A private CA is the

On Sat, June 18, 2016 18:39, Gordon Messmer wrote: > On 06/18/2016 02:49 PM, James B. Byrne wrote: >> On Fri, June 17, 2016 21:40, Gordon Messmer wrote: >>> https://letsencrypt.org/2015/11/09/why-90-days.html >> With respect citing another person's or people's opinion in support >> of >> your own is not evidence in the sense I understand the word to

On Mon, June 20, 2016 13:16, Gordon Messmer wrote: > On 06/20/2016 07:47 AM, James B. Byrne wrote: >> On Sat, June 18, 2016 18:39, Gordon Messmer wrote: >> >>> I'm not interested in turning this in to a discussion on >>> epistemology. >>> This is based on the experience (the evidence) of some of the >>> world's foremost experts in the

On Sat, June 18, 2016 7:52 am, Always Learning wrote: > > On Fri, 2016-06-17 at 15:56 +0100, Michael H wrote: > >> On 17/06/16 15:46, James B. Byrne wrote: > >> > >> > We operate a private CA for our domain and have since 2005. We >> > maintain a public CRL strictly in accordance with our CPS and have our >> > own OID assigned. Our CPS and

On Fri, June 17, 2016 11:06, Walter H. wrote: > On 17.06.2016 16:46, James B. Byrne wrote: >> On Thu, June 16, 2016 13:53, Walter H. wrote: >>> On 15.06.2016 16:17, Warren Young wrote: >>>> but it also affects the other public CAs: you can???t get a >>>> publicly-trusted cert for a machine without a publicly-recognized >>>> and -visible

On 17/06/16 15:46, James B. Byrne wrote: > > On Thu, June 16, 2016 13:53, Walter H. wrote: >> On 15.06.2016 16:17, Warren Young wrote: >>> but it also affects the other public CAs: you can???t get a >>> publicly-trusted cert for a machine without a publicly-recognized >>> and -visible domain name. For that, you still need to use >>> self-signed

I encountered a couple of strange events with respect to password authentication this morning. Two of our staff were unable to login onto several systems using their usual passwords. Both users had last logged in on these hosts using their accounts and passwords on Friday past. The two accounts could not log on to any of the servers for which they had access and the message log on each showed

I want you all to see what I went through trying to simply reassign (unsuccessfully) the context of a well-known port. To the best of my ability to recall none of the packages mentioned below are even installed on the host in question. Why are these dependices preventing me from removing a disused SELinux policy. I have done exactly that, reassign port contexts, in the past without encountering

I arrived at work this morning to find that my desktop unit (CentOS-6.6 KVM) halted with a kernel panic. I am not conversant with any way to save the console display in this case and there was rather a lot of text. I jotted down a few notes and power-cycled the unit to restart. which it did and I am using now to compose this message. The few notes that I manually copied, subject to

I am looking at these sorts of things as well: IN=eth0 OUT=eth1 SRC=129.250.200.121 DST=x.y.z.56 LEN=96 TOS=0x00 PREC=0x00 TTL=243 ID=32285 PROTO=ICMP TYPE=11 CODE=0 [SRC=x.y.z.56 DST=88.198.155.41 LEN=28 TOS=0x10 PREC=0x60 TTL=1 ID=1968 PROTO=UDP SPT=50131 DPT=6528 LEN=8 ] x.y.z.56 is a disused address in our netblock assignment. So whatever this is it is not legit. Does anyone recognize

On Fri, February 10, 2017 06:26, Patrick Begou wrote: > Hello > > I have more and more troubles using firefox in professional > environment with > CentOS6. The latest version is 45.7.0 But I can't use it anymore to > access some > old server hardware (IDRAC7 of DELL C6100) because of > "/SSL_ERROR_WEAK_SERVER_CERT_KEY/". I had to install an old Firefox32 >

On 06/18/2016 02:49 PM, James B. Byrne wrote: > On Fri, June 17, 2016 21:40, Gordon Messmer wrote: >> https://letsencrypt.org/2015/11/09/why-90-days.html > With respect citing another person's or people's opinion in support of > your own is not evidence in the sense I understand the word to mean. I'm not interested in turning this in to a discussion on epistemology.

On 06/16/2016 11:23 AM, Valeri Galtsev wrote: > as the one who has to handle quite a > few certificates, I only will go with certificates valid for a year, > ...do I miss something?). Yes. The tool that creates certificate/key pairs, submits the CSR, and installs the certificate is intended to be fully automated. In production, you should be running it as an automatic job. As

On Thu, May 26, 2016 10:51, Juan Bernhard wrote: > > El 26/05/2016 a las 11:39 a.m., Valeri Galtsev escribi?: >> I guess, it is just me in general unhappy about all Linuxes >> getting much less "UNIX"y lately. > > I feel you Valerei, im switching new server instalations to FreeBSD. > Im tired to spend useful time learning new ways (systemd, firewalld, > dnf,

yum upgrade -y yada yada yada .... then lots of errors like: /usr/share/gnome/help/gdm/fr/gdm.xml:173: parser error : Entity 'eacute' not defined and so on until Document is not well-formed XML: /usr/share/gnome/help/gdm/it/gdm.xml Updating : amtu ##################### [173/520] Updating : grub ##################### [174/520] ...

On Wed, Jun 15, 2016 at 10:02:57AM -0500, Valeri Galtsev wrote: > > On Wed, June 15, 2016 9:17 am, Warren Young wrote: > >> > >> Nowadays it's quite easy to get normal ssl certificates for free. E.g. > > > > Today, I would prefer Let???s Encrypt: > > > > https://letsencrypt.org/ > > > > It is philosophically aligned with the open