cltools (beta) available

Since last night the Crypto-Live Tools (cltools) are linked on the web site.
http://www.crypto-live.org/

Update March 24, 09: Unfortunately I cannot find a hosting provider which allows me to use openssl commands via PHP exec(). If you can help please send me a note at info at crypto dashlive dor org. I appriciate your help.

Personal online backup with Mozy

Here is something what I wanna share. I am using Mozy Home, from Mozy Inc, a EMC company, to backup my local files to a online system. It was quite simple to install and to configure. Every connection is encrypted, the server certificate is checked and you will see an error if something is wrong with the server's certificate, and all your stuff is encrypted on Mozy with a personal key.
After installation there are two processes running on your machine (WinXP), mozybackup.exe and mozystat.exe, each of them are consuming approx. 7 MB of RAM, so not bad at all.
Mozy client is available for most Windows versions and also Mac OSX.

Check it out
https://mozy.com/?ref=BGQ9M0

For professionals and companies there is also an Mozy Pro version which supports Server OS, Exchange, SQL server etc.

Subject Name with Microsoft CA 2003

Today I had a challenge to find out how I can request a certificate from a Windows 2003 Server CA with a "free-style" subject name. MS CA is supporting and enforcing those attributes, enabled by default are EMail, CommonName, OrganizationalUnit, Organization, Locality,State, DomainComponent and Country. Optional you can allow Title, GivenName, Initials, Surname, StreetAddress, UnstructuredName, UnstructuredAddress and DeviceSerialNumber.
First I was wasting time to find a way how to extend that list, later I got an tipp that I can disbale the checking. to do so run Certutil –setreg ca\crlflags +CRLF_REBUILD_MODIFIED_SUBJECT_ONLY (see also http://support.microsoft.com/kb/928016).

Now every subject name is accepted. :-)

Is SSL secure? in addition

SSL is only secure as long your cryptographic toolset is secure. Actual you can find a big hole in Debian based systems (e.g. Debian, Ubuntu). It is not only a problem for SSL, also for SSH or OpenVPN. On SSH and OpenVPN you have that issue not only on the server, it is a client problem! My recommendation is to revoke all keys from which are created between September 2006 and May 2008. There are a few test programs on the Internet, I will get you more detail information if available. Please checkout also the Debian Wiki at http://wiki.debian.org/SSLkeys .
This is realy a bad thing for OpenSource community.

SSL - Is it secure? Yes, it is.

Often times people told me that SSL is a secure communication protocol. They thought about it in to ways, 1) all my data are encrypted and no hacker can get it, 2) the server knows who I am, so I am authenticated. Stop - wait a minute. First of all, SSL is a secure way to communicate. Secure from a point A to a point B. If SSL is used to secure HTTP connections then is A your Internet Browser and B is the HTTP daemon on the other end's web server. So it is not encrypted what your are typing in, and the data store on B is also not encrypted, at least not be the SSL communication. Okay, back to the communication between A and B. You know only the identity of the server, but how? Your DNS Server is directing you to the correct IP address and an official internet authority (e.g. GlobalSign) has issued a SSL server certificate for the server after checking certain criterias, which should proof the identity of the organization which is running the server. As far as you are using a trustworthy DNS, the internet authority did it job, noone has installed a "odd" Root CA into your browser and you are not getting SSL error message during you open the web site, the SSL connection is secure.
But still on the web server could an administrator or hacker copy data, or someone thinks she can sell your address data. So check at least the privacy statement on the website. Is something wrong, error on SSL connect or the privacy statement sounds wear, dont type in any personal information.

How to plan a CLM deployment

To deploy the Certificate Lifecycle Manager (CLM)sucessfully it will need maybe more time for preperation then for other applications. CLM 2007 has impacts on Windows 2003 Enterprise Edition, SQL Server 2005, your Active Directory strategy, IIS, Security Policies, Certificate Services and so on. Probably in larger organizations you have to talk to more then one other guy. :-)

My spreadsheet hopefuly helps you to start quickly


http://spreadsheets.google.com/pub?key=pUqp6TNO9kzkO4UIAZH-5Zw

Exchange 2003 contacts and certificates

In Exchange you can add externals recipients as contacts. So I tried to add certificates to the contacts, just my Outlook was not able to get them and so I couldn't send a encrypted email.

The standard with S/MIME is first to exchange signed messages between both parties and then they can start to encrypt. Well, that's nice for your home computer, but not the right thing for a huge company were everyone is working on other things instead on PKI stuff ;-).

So I added the user certificates to the contact object with an LDAP browser (e.g. ldp). Make sure that you are uploading DER encoded files and that you have a valid email encryption certificate (Enhanced Key Usage: Secure Email). After that it is working in Outlook and Outlook Web Access.