From tarunupadhyay at yahoo.com Wed Jul 5 05:11:19 2000 From: tarunupadhyay at yahoo.com (Tarun Upadhyay) Date: Wed, 5 Jul 2000 08:41:19 +0530 Subject: DSS Public Key Certificate Message-ID: <000901bfe62e$e1b8c510$0401a8c0@EBPROVIDER> I am currently implementing TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA ciphersuite. While sending server certificates during handshake, I hit on two issues: a) DHE_DSS requires DSS Public Key to be sent in certificate. Where is this key typically available on the server? Is it available as X.509v3 signed certificate or in some other format which needs to be encoded in X.509? b) If the answer to the first question is "some other format", do we have open source APIs (say, in other gnupg projects) available for encoding to X.509, ASN.1 etc.? Regards Tarun From tarunupadhyay at yahoo.com Fri Jul 7 06:43:01 2000 From: tarunupadhyay at yahoo.com (Tarun Upadhyay) Date: Fri, 7 Jul 2000 10:13:01 +0530 Subject: Certificate Handling Message-ID: <005f01bfe7cd$da82cb60$0401a8c0@EBPROVIDER> Werner, I was wondering if you can help me with a few issues on certificate handling for GNU-TLS. a) What kind of coding for certificates should be supported. I plan to support PEM immediately. Is DER also essential? b) How should a private key protected? How should its access authenticated without prompting for a password? Regards Tarun From wk at gnupg.org Fri Jul 7 18:47:52 2000 From: wk at gnupg.org (Werner Koch) Date: Fri, 7 Jul 2000 18:47:52 +0200 Subject: Certificate Handling In-Reply-To: <005f01bfe7cd$da82cb60$0401a8c0@EBPROVIDER>; from tarunupadhyay@yahoo.com on Fri, Jul 07, 2000 at 10:13:01AM +0530 References: <005f01bfe7cd$da82cb60$0401a8c0@EBPROVIDER> Message-ID: <20000707184752.C1050@djebel.gnupg.de> Hello, On Fri, 7 Jul 2000, Tarun Upadhyay wrote: > a) What kind of coding for certificates should be supported. I plan to > support PEM immediately. Is DER also essential? > b) How should a private key protected? How should its access authenticated > without prompting for a password? Please have a look at OpenSSL and see how they do it. For server applications it does not make much sense to store the secret key encrypted unless you want to have an operator to enter that passpharse on every startup. The best solution would be a hardware token, used to store and process the secret key. I am currently looking at such things. Werner -- Werner Koch OpenPGP key 621CC013 OpenIT GmbH tel +49 211 239577-0 Birkenstr. 12 email wk at OpenIT.de D-40233 Duesseldorf http://www.OpenIT.de