RE: https://infosec.exchange/@paulehoffman/115889970411988081
Side note: this is why things like "multi-perapective corroboration" for domain validation do not work.
When every single packet to .ir nameservers and servers inside Iran pass through two (yes, 2!) gateways, then those controlling the gateways can acquire a valid domain validation certificate for any .ir domain or any server located in Iran.
TIL that, if your #OpenVPN peer uses a self-signed certificate, you can set the --ca option to that self-signed #certificate. Even though it is not actually marked as a CA certificate, this will work anyway.
Presumably because that technically *is* the CA of the peer's certificate. A self-signed certificate lists itself as the issuing CA. That's why it's called “self-signed”.
RE: https://abyssdomain.expert/@filippo/115674985400164090
An archive of all CT-logged certificates with all the tools needed for an analysis! No more scraping.
So @letsencrypt have put out a new blog post about shorter lives for certs moving forward (45days by 2028), but I've still not seen any movement on deploying the "shortlived" profile (and as a result IP address certs) from their post back in July. It's all been up on the test Staging servers since then.
Does anybody have any idea when this will finally go live?
It's in the docs, but no mention that it is restricted to invited users only still
A profile is a collection of characteristics that describe both the validation process required to get a certificate, and the final contents of that certificate. For the vast majority of Let’s Encrypt subscribers, you should never have to worry about this: we automatically select the best profile for you, and ensure that it complies with all of the requirements and best practices that govern the Web PKI. But some people might be interested in proactively selecting a specific profile, so this page exists to provide the information necessary to make that choice.
Fortunately the #python #cryptography library has good code examples on how to actually get a #pki to work.
Roughly, #x509 provides one way trust and I need mutual trust in a distributed group.
So I find myself working on x509 certificates for #wireguard. Wireguard works with a key pair at each tunnel end. Adding certs to that sounds conceptually easy, but for me it's a struggle.
Other People Have Lives – I Have Domains
These are just some boring update notifications from the elkemental Webiverse. The elkement blog has recently celebrated its fifth anniversary, and the punktwissen blog will turn five in December. Time to celebrate this - with new domain names that says exactly what these sites are - the 'elkement . blog' and the 'punktwissen . blog' (Edit: which now - in 2020 - point to a copy of these sites elsewhere ;-) Edit again in 2023: And now the main name of this site is elkement.art […]https://elkement.art/2017/06/06/other-people-have-a-life-i-have-domains/
One of the most simultaneously useful and painful things you can ever learn in your IT/programming career is the X.509 standard.
Sigh. Yet another #X509 #certificate generating tool that doesn't know how to generate a non-expiring certificate. 🤬
And yes, there is such a thing. The certificate expiration time “99991231235959Z” (23:59:59 UTC on December 31, 9999) is specified by RFC 5280 as meaning the certificate never expires.
So far, I have found only one program, xca https://hohnstaedt.de/xca/ that knows how to make such a certificate.
Pontiff Fractal Tiam
ARGVMI~1.PIF
Ben Hardill
Volker Stolz
Ype Kingma
elkement
Petar Petrov