Re: [OpenCA-Devel] Integer overflow

[Chris Covell <chris@ka...>]

OK, if I sign a CRR I sign it with a ra admin cert with serial "7", the 
sub CA has certificate "4", I get 4 overflow errors in the log. The 
message that the "signature is correctly verified" is displayed.

If I approve the CRR without signing then I get no overflow errors. But 
as this is a production server I need to sign the CRRs

It does seem like it is a problem paresing the signature.

Any other ideas ?

Chris...


Chris Covell wrote:
> Many thanks for your comments guys,
> 
> Looking into it i am seeing the errors when approving CRRs, singing them 
> with a certificate.
> 
> i shall take Martins's advice and have a look at the database for the 
> CRR (they all seem to cause problems). I shall try it without signing 
> the approval too.
> 
> Juergen's point is also a good one, the certifciate I am using to 
> approve the CRRs is from a hierachical PKI, one of the serials numbers 
> may be a bit funny !
> 
> Chris...
> 
> Johnny Gonzalez wrote:
> 
>> Hello Chris,
>> I have seen that message several times, but until now
>> it haven't been any problem, it appears after
>> approving CSRs.
>>
>> As you say so, it appears for very low serial numbers,
>> so I guess this could be a bug in perl libraries.
>>
>> Regards,
>> Johnny
>>
>>
>>  --- Chris Covell <chris@...> escribió:
>>
>>
>>> Guys,
>>>
>>> Openca 0.9.2.2
>>> Openssl 0.9.7
>>>
>>> Have any of you ever seen this in the stderr.log ?
>>>
>>> Integer overflow in hexadecimal number at 
>>> /usr/local/ca001_pki/modules/perl5/OpenCA/PKCS7.pm
>>> line 392.
>>>
>>> The last certificate issued was serial 5368 (0x14F8)
>>>
>>> The last certificate revoked was serial 3366 (0xD26)
>>>
>>> surely these are not such big numbers to overflow ?
>>> Is this a bug as I have duplicated the error in a test script and the
>>> lowest integer I get to cause the overflow is 100000000 ! I am nowhere
>>> near that serial number !
>>>
>>> Chris...
>>>
>>>
>>>
>>>
>>>
>>
>> -------------------------------------------------------
>>
>>> This SF.Net email is sponsored by:
>>> Power Architecture Resource Center: Free content,
>>> downloads, discussions,
>>> and more.
>>> http://solutions.newsforge.com/ibmarch.tmpl
>>> _______________________________________________
>>> OpenCA-Devel mailing list
>>> OpenCA-Devel@...
>>>
>>
>> https://lists.sourceforge.net/lists/listinfo/openca-devel
>>
>>
>>
>>
>>        
>> ______________________________________________ Renovamos el Correo 
>> Yahoo! Nuevos servicios, más seguridad http://correo.yahoo.es
>>
>>
>> -------------------------------------------------------
>> This SF.Net email is sponsored by:
>> Power Architecture Resource Center: Free content, downloads, discussions,
>> and more. http://solutions.newsforge.com/ibmarch.tmpl
>> _______________________________________________
>> OpenCA-Devel mailing list
>> OpenCA-Devel@...
>> https://lists.sourceforge.net/lists/listinfo/openca-devel
>>
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by:
> Power Architecture Resource Center: Free content, downloads, discussions,
> and more. http://solutions.newsforge.com/ibmarch.tmpl
> _______________________________________________
> OpenCA-Devel mailing list
> OpenCA-Devel@...
> https://lists.sourceforge.net/lists/listinfo/openca-devel
> 

Re: [OpenCA-Devel] Integer overflow

[Johnny Gonzalez <johnnygonzalezl@ya...>]

Hello Michael,

I sent my message before the other messages appear in
my inbox, So I checked my certificates and my CA
Certificate has a serialnumber like this:

2147483647

In the CA Interface and in DB I see this:

9521c7414e4e4e69f68e9360c52f98c87cabff15 (0x2531)

If you ask me why I'll have to say: I don't know why
such a number like that. It was generated
automatically when I configured my PKI system at the
beginning.

Do you think this can lead to any kind of problem? or
should I bypass this warning?

Thanks a lot,
Johnny

 --- Michael Bell <michael.bell@...>
escribió:

> Johnny Gonzalez wrote:
> 
> > I have seen that message several times, but until
> now
> > it haven't been any problem, it appears after
> > approving CSRs.
> 
> Did you approve with signing? Perhaps one of your CA
> certs in the chain 
> has such a high serial (like Juergen stated).
> Nevertheless the use of 
> Math::BigInt should be enforced in all modules.
> 
> Michael
> -- 
>
_______________________________________________________________
> 
> Michael Bell                   
> Humboldt-Universitaet zu Berlin
> 
> Tel.: +49 (0)30-2093 2482       ZE Computer- und
> Medienservice
> Fax:  +49 (0)30-2093 2704       Unter den Linden 6
> michael.bell@...   D-10099 Berlin
>
_______________________________________________________________
> 



		
______________________________________________ 
Renovamos el Correo Yahoo! 
Nuevos servicios, más seguridad 
http://correo.yahoo.es

Re: [OpenCA-Devel] Integer overflow

[Chris Covell <chris@ka...>]

Many thanks for your comments guys,

Looking into it i am seeing the errors when approving CRRs, singing them 
with a certificate.

i shall take Martins's advice and have a look at the database for the 
CRR (they all seem to cause problems). I shall try it without signing 
the approval too.

Juergen's point is also a good one, the certifciate I am using to 
approve the CRRs is from a hierachical PKI, one of the serials numbers 
may be a bit funny !

Chris...

Johnny Gonzalez wrote:
> Hello Chris, 
> 
> I have seen that message several times, but until now
> it haven't been any problem, it appears after
> approving CSRs.
> 
> As you say so, it appears for very low serial numbers,
> so I guess this could be a bug in perl libraries.
> 
> Regards,
> Johnny
> 
> 
>  --- Chris Covell <chris@...> escribió:
> 
> 
>>Guys,
>>
>>Openca 0.9.2.2
>>Openssl 0.9.7
>>
>>Have any of you ever seen this in the stderr.log ?
>>
>>Integer overflow in hexadecimal number at 
>>/usr/local/ca001_pki/modules/perl5/OpenCA/PKCS7.pm
>>line 392.
>>
>>The last certificate issued was serial 5368 (0x14F8)
>>
>>The last certificate revoked was serial 3366 (0xD26)
>>
>>surely these are not such big numbers to overflow ?
>>Is this a bug as I 
>>have duplicated the error in a test script and the
>>lowest integer I get 
>>to cause the overflow is 100000000 ! I am nowhere
>>near that serial number !
>>
>>Chris...
>>
>>
>>
>>
>>
> 
> -------------------------------------------------------
> 
>>This SF.Net email is sponsored by:
>>Power Architecture Resource Center: Free content,
>>downloads, discussions,
>>and more.
>>http://solutions.newsforge.com/ibmarch.tmpl
>>_______________________________________________
>>OpenCA-Devel mailing list
>>OpenCA-Devel@...
>>
> 
> https://lists.sourceforge.net/lists/listinfo/openca-devel
> 
> 
> 
> 
> 		
> ______________________________________________ 
> Renovamos el Correo Yahoo! 
> Nuevos servicios, más seguridad 
> http://correo.yahoo.es
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by:
> Power Architecture Resource Center: Free content, downloads, discussions,
> and more. http://solutions.newsforge.com/ibmarch.tmpl
> _______________________________________________
> OpenCA-Devel mailing list
> OpenCA-Devel@...
> https://lists.sourceforge.net/lists/listinfo/openca-devel
> 

Re: [OpenCA-Devel] Integer overflow

[Michael Bell <michael.bell@cm...>]

Johnny Gonzalez wrote:

> I have seen that message several times, but until now
> it haven't been any problem, it appears after
> approving CSRs.

Did you approve with signing? Perhaps one of your CA certs in the chain 
has such a high serial (like Juergen stated). Nevertheless the use of 
Math::BigInt should be enforced in all modules.

Michael
-- 
_______________________________________________________________

Michael Bell                    Humboldt-Universitaet zu Berlin

Tel.: +49 (0)30-2093 2482       ZE Computer- und Medienservice
Fax:  +49 (0)30-2093 2704       Unter den Linden 6
michael.bell@...   D-10099 Berlin
_______________________________________________________________

RE: [OpenCA-Devel] Integer overflow

[Johnny Gonzalez <johnnygonzalezl@ya...>]

Hello Chris, 

I have seen that message several times, but until now
it haven't been any problem, it appears after
approving CSRs.

As you say so, it appears for very low serial numbers,
so I guess this could be a bug in perl libraries.

Regards,
Johnny


 --- Chris Covell <chris@...> escribió:

> Guys,
> 
> Openca 0.9.2.2
> Openssl 0.9.7
> 
> Have any of you ever seen this in the stderr.log ?
> 
> Integer overflow in hexadecimal number at 
> /usr/local/ca001_pki/modules/perl5/OpenCA/PKCS7.pm
> line 392.
> 
> The last certificate issued was serial 5368 (0x14F8)
> 
> The last certificate revoked was serial 3366 (0xD26)
> 
> surely these are not such big numbers to overflow ?
> Is this a bug as I 
> have duplicated the error in a test script and the
> lowest integer I get 
> to cause the overflow is 100000000 ! I am nowhere
> near that serial number !
> 
> Chris...
> 
> 
> 
> 
>
-------------------------------------------------------
> This SF.Net email is sponsored by:
> Power Architecture Resource Center: Free content,
> downloads, discussions,
> and more.
> http://solutions.newsforge.com/ibmarch.tmpl
> _______________________________________________
> OpenCA-Devel mailing list
> OpenCA-Devel@...
>
https://lists.sourceforge.net/lists/listinfo/openca-devel
> 



		
______________________________________________ 
Renovamos el Correo Yahoo! 
Nuevos servicios, más seguridad 
http://correo.yahoo.es

Re: [OpenCA-Devel] Integer overflow

[Martin Bartosch <vc-a56@cy...>]

Hi,

> Have any of you ever seen this in the stderr.log ?
>
> Integer overflow in hexadecimal number at
> /usr/local/ca001_pki/modules/perl5/OpenCA/PKCS7.pm line 392.

nope. But I think the reason might be that a request you have been
processing was signed by a "rogue" certificate with a serial number
outside the range the Perl hex() function can process.

The PKCS7 module parses the output of the openca-sv executable
which prints information about the signed data and the signer certificate=
,
which does not necessarily have to be issued by OpenCA itself...

So I suspect that the signature itself is the reason for this behaviour,
not the internal state of OpenCA.

If possible, have a look at the database and the CSR that caused the
problem. You should be able to extract the header information for
the request, extract the PKCS#7 structure and parse it manually.

Either way, I think there is a bug lurking here, and at least we
should use the BigInt classes to convert integers.

Sorry I could not be of more help,

Martin

Re: [OpenCA-Devel] Integer overflow

[Juergen Brauckmann <brauckmann@df...>]

Chris Covell wrote:
> Guys,
> 
> Openca 0.9.2.2
> Openssl 0.9.7
> 
> Have any of you ever seen this in the stderr.log ?

No.

> Integer overflow in hexadecimal number at
> /usr/local/ca001_pki/modules/perl5/OpenCA/PKCS7.pm line 392.
> 
> The last certificate issued was serial 5368 (0x14F8)
> 
> The last certificate revoked was serial 3366 (0xD26)
> 
> surely these are not such big numbers to overflow ? Is this a bug as I
> have duplicated the error in a test script and the lowest integer I get
> to cause the overflow is 100000000 ! I am nowhere near that serial number !

Just some thoughts:
a) line 392 of PKCS7.pm is obviously called for each certificate
contained in a PKCS#7 structure. If you have a hierarchical PKI with
multiple layerd CA certificates, their serial numbers will also appear
there.

b) OpenCA parses OpenSSL (or is it openca-sv?) output. If
OpenSSL/openca-sv suddenly gives unexpected output, OpenCA::PKCS7 may be
confused. It would be nice to have this output to know what went wrong... .

Juergen

[OpenCA-Devel] Integer overflow

[Chris Covell <chris@ka...>]

Guys,

Openca 0.9.2.2
Openssl 0.9.7

Have any of you ever seen this in the stderr.log ?

Integer overflow in hexadecimal number at 
/usr/local/ca001_pki/modules/perl5/OpenCA/PKCS7.pm line 392.

The last certificate issued was serial 5368 (0x14F8)

The last certificate revoked was serial 3366 (0xD26)

surely these are not such big numbers to overflow ? Is this a bug as I 
have duplicated the error in a test script and the lowest integer I get 
to cause the overflow is 100000000 ! I am nowhere near that serial number !

Chris...

[OpenCA-Devel] Updated: Agenda for Workshop

[Oliver Welter <mail@ol...>]

Valued OpenCA Users,

I want to announce the (hopefully) stable version of the agenda for this 
years workshop.

We have now six interessting Success-Stories in the afternoon:

  * Chipcard's and their Role in PKI Systems (Dr. Stephan Spitz, 
Giesecke & Devrient)
* Using OpenCA in Business (Robert Esterer, Secardeo)
* Identity Management with LDAP (Chris Covell, Diginus)
* LDAP Authentication and LDAP bases Certification Requesting (Peter 
Gietz, DAASI International)
* OpenCA in UTF-8 Environments (Sergei Vyshenski, Cryptocom)
* Secure VPN with Cisco Devices via SCEP / High-Availabilty Setup (Max 
Schmid, T-Systems)

The OCSP talk in the morning was replaced with a talk about the new 
Multi-CA Concept and aspects of Lifetime-Rollover as we will hopefully 
introduce with the next release.

The agenda is available online at the openca.info pages - currently only 
www2.openca.info has the new copy 
http://www2.openca.info/news/ws2005.html, the other mirrors will folow 
shortly.

If you are interessted in joining the workshop please send a mail to 
ws2005@... - there are still some places available for both days.

regards

Oliver
-- 
Diese Nachricht wurde digital unterschrieben
oliwel's public key: http://www.oliwel.de/oliwel.crt
Basiszertifikat: http://www.ldv.ei.tum.de/page72

[OpenCA-Devel] Announcement: Workshop Agenda for 17/18 October

[Oliver Welter <mail@ol...>]

Dear OpenCA users,

I want to annouced the updated agenda for the upcoming workshop (17/18 
October in Munich/Germany). There are still places left and the dev-team 
would enjoy to meet you. For an up-to-date agenda and other inquiries 
please visit http://www.openca.info/news/ws2005.html

We are also still looking for sucess-stories for the afternoon, so if 
you want to present your work, or if you want to see a special topic 
that is currently not on the list please contact us.

Best regards

Oliver


Monday, 17. Oct - Dev Day

     * 10:30 organizational issues
       * licensing
       * foundation
     * after Lunch - technical issues
       * new core-implementation
       * feature enhancements
       * wishlists
     * 18:30 Entertainment - for all who are already in town

Tuesday, 18. Oct - Users Day

     * 8:30 Registration
     * 9:00 - short Opening Talk with Introduction of the Project
     * 9:15 - OpenCA Outlined
       * Certificate Workflow
       * internal structure
       * Interface Concept
       * Scalability
       * security considerations
     * 10:15 - SCEP
       * How is scep integrated in OpenCA
       * Already implemented features
       * Do's and Dont's
       * A *short* guide for Cisco/OpenCA Combo
     * 10:45 Coffee Break
     * 11:00 - Batch
       * When using the batch ?
       * Batch Concept (Statemaschine)
       * Batch Implementation Details
     * 11:30 - The Multi-CA Concept
       * Multiple CA s with one Installation
       * Lifetime-Rollover

     * 12:00 Lunch
       * Lunch is NOT included in the workshop fee, there are lots of 
beautiful locations around the university to go.

     * 13:30 use case scenarios, approx 30 mins each, currently 
discussing on:
       * Win Logon with Smartcards
       * Identity Management with LDAP
       * LDAP Authentication and LDAP based Certification Requesting
       * Chipcard's and their Role in PKI Systems
       * High-Availabilty Setup for mutliple CA's
       * OpenCA in UTF-8 Environments
       * Secure VPN with Cisco Devices via SCEP
     * 16:30 official end of the workshop
       The rooms are kept open to allow peer to peer discussions.
     * 19:00 doors closed :-)
-- 
Diese Nachricht wurde digital unterschrieben
oliwel's public key: http://www.oliwel.de/oliwel.crt
Basiszertifikat: http://www.ldv.ei.tum.de/page72

Re: [OpenCA-Devel] Foundation documents

[Edward Middleton <edward@ni...>]

Michael Bell wrote:

> Edward Middleton wrote:
>
>> Potential licensing conflicts (e.g XFree86 -> xorg) are "user issue" you
>> might want the board to consider.  Users have no right to a vote, the
>> point is whether letting them would produce a more effective board.
>> Obviously there are risk with having a too inclusive or too exclusive
>> board.
>
> The argument is good. The question is now which level of user
> integration is optimal? Only more than 50 percent developers or more
> than 2/3 developers in the board? Should user elected board members
> can block license decisions?

I would think 2/3 developers would probably be a good mix.  I don't
think user elected board members should by themselves, be able to block
a license decision, (because they haven't made any direct contribution
to the licensed material), but if a decision is split their vote should
be a deciding factor.

Edward

Re: [OpenCA-Devel] Foundation documents

[Michael Bell <michael.bell@cm...>]

Edward Middleton wrote:

> Potential licensing conflicts (e.g XFree86 -> xorg) are "user issue" you
> might want the board to consider.  Users have no right to a vote, the
> point is whether letting them would produce a more effective board. 
> Obviously there are risk with having a too inclusive or too exclusive board.

The argument is good. The question is now which level of user 
integration is optimal? Only more than 50 percent developers or more 
than 2/3 developers in the board? Should user elected board members can 
block license decisions?

Your comments look for me like it is not your first time that you think 
about licenses and such stuff :)

Michael
-- 
_______________________________________________________________

Michael Bell                    Humboldt-Universitaet zu Berlin

Tel.: +49 (0)30-2093 2482       ZE Computer- und Medienservice
Fax:  +49 (0)30-2093 2704       Unter den Linden 6
michael.bell@...   D-10099 Berlin
_______________________________________________________________

[OpenCA-Devel] testing - please ignore

[Ives Steglich <dalini@da...>]

greetings
dalini

-- 
fingerprint :: F5E8 DAF5 3CD2 2B52 82A2  0AE7 36D5 B889 25E7 15C8
pub         :: 1024D/25E715C8 [expires: 2007-09-09]
sub         :: 2048g/4DE4FB70 [expires: 2007-09-09]

Re: [OpenCA-Devel] Foundation documents

[Edward Middleton <edward@ni...>]

Oliver Welter wrote:

> Hi Edward, Hi List,
>
>>> 1. Board members must/should be active developers.
>>>
>>> If we want that the active developers elect the board then we must
>>> define who are active developers.
>>
>> The reason for making board members active developers is to avoid a
>> split between the board and the developers.  The risk of having a board
>> made completely of developers is that user issues my end up being
>> ignored.  What about having the majority of board members limited to
>> developers and having a minority of members selected with a more "open
>> democratic process".
>
> I think the asumption behind your thoughts does not really fit.
>
> The board does discuss:
> * Naming Rights
> * Licenses
> * Administratives

> So to make it short - all this things are closely related to publish
> and protect the work of the developers-team. There are no
> "user-issues"  so I dont know any reason why and on what users should
> have a vote on this board ?

Potential licensing conflicts (e.g XFree86 -> xorg) are "user issue" you
might want the board to consider.  Users have no right to a vote, the
point is whether letting them would produce a more effective board. 
Obviously there are risk with having a too inclusive or too exclusive board.

Edward

Re: [OpenCA-Devel] Foundation documents

[Oliver Welter <mail@ol...>]

Hi Edward, Hi List,

>>1. Board members must/should be active developers.
>>
>>If we want that the active developers elect the board then we must
>>define who are active developers.
> 
> 
> The reason for making board members active developers is to avoid a
> split between the board and the developers.  The risk of having a board
> made completely of developers is that user issues my end up being
> ignored.  What about having the majority of board members limited to
> developers and having a minority of members selected with a more "open
> democratic process".

I think the asumption behind your thoughts does not really fit.

The board does discuss:
* Naming Rights
* Licenses
* Administratives

So to make it short - all this things are closely related to publish and 
protect the work of the developers-team. There are no "user-issues" so I 
dont know any reason why and on what users should have a vote on this 
board ?
If a "user" contributes *some* code, he does this under the currently 
running license, if a user does *much* work, he will raise up to 
"developer" status and might to get in the board. If a user wants a 
feature he can kindly ask for it, but there is no base for him to demand 
that development. Nevertheless development is very open in OpenCA - if 
someone does work that is considered to be release-quality it will be 
included in the official tree. Other projects are a lot stronger with this !

Oliver
-- 
Diese Nachricht wurde digital unterschrieben
oliwel's public key: http://www.oliwel.de/oliwel.crt
Basiszertifikat: http://www.ldv.ei.tum.de/page72

Re: [OpenCA-Devel] Foundation documents

[Edward Middleton <edward@ni...>]

Michael Bell wrote:

> Hi Sergei,
>
> Sergei Vyshenski wrote:
>
>> Afraid I can not. As this could upset several of the core, which is
>> the point I would rather escape.
>> Sorry.
>
>
> This is part of an open discussion - I mean the conflict not the ... ;)
>
>> Nonetheless, having a board like in a private club or lodge may be
>> superior and more predictable compared to democracy games.
>
>
> Ok, if I interpret the discussion until here correctly then we need
> perhaps something like a three class system - board members, active
> developers and normal users. So we would have a democracy of peoples
> who are qualified by technical expertise. Does this be safe enough?
>
> The following things must be discussed. So please take them as proposals:
>
> 1. Board members must/should be active developers.
>
> If we want that the active developers elect the board then we must
> define who are active developers.

The reason for making board members active developers is to avoid a
split between the board and the developers.  The risk of having a board
made completely of developers is that user issues my end up being
ignored.  What about having the majority of board members limited to
developers and having a minority of members selected with a more "open
democratic process".

> 2.1. A person is an active developer if he contributes code in the
> last 1/2/3 years which moved into the official source code revision
> system.
>
> 2.2. A person is an active developer if he contributes documentation
> in the last 1/2/3 years (perhaps we should define a volume here).
>
> Please take this like usual as a first, fast and usually erroneous
> approach. So who has better definitions?
>
> Michael

Re: [OpenCA-Devel] Foundation documents

[Michael Bell <michael.bell@cm...>]

Hi Sergei,

Sergei Vyshenski wrote:

> Afraid I can not. 
> As this could upset several of the core, which is the point I would rather escape.
> Sorry.

This is part of an open discussion - I mean the conflict not the ... ;)

> Nonetheless, having a board like in a private club or lodge 
> may be superior and more predictable compared to democracy games.

Ok, if I interpret the discussion until here correctly then we need 
perhaps something like a three class system - board members, active 
developers and normal users. So we would have a democracy of peoples who 
are qualified by technical expertise. Does this be safe enough?

The following things must be discussed. So please take them as proposals:

1. Board members must/should be active developers.

If we want that the active developers elect the board then we must 
define who are active developers.

2.1. A person is an active developer if he contributes code in the last 
1/2/3 years which moved into the official source code revision system.

2.2. A person is an active developer if he contributes documentation in 
the last 1/2/3 years (perhaps we should define a volume here).

Please take this like usual as a first, fast and usually erroneous 
approach. So who has better definitions?

Michael
-- 
_______________________________________________________________

Michael Bell                    Humboldt-Universitaet zu Berlin

Tel.: +49 (0)30-2093 2482       ZE Computer- und Medienservice
Fax:  +49 (0)30-2093 2704       Unter den Linden 6
michael.bell@...   D-10099 Berlin
_______________________________________________________________

Re: [OpenCA-Devel] Foundation documents

[Sergei Vyshenski <svysh@cr...>]

Hi Michael,

Afraid I can not. 
As this could upset several of the core, which is the point I would rather escape.
Sorry.

Nonetheless, having a board like in a private club or lodge 
may be superior and more predictable compared to democracy games.

Sergei

At 12:30 06.09.2005, you wrote:
>Sergei Vyshenski wrote:
>
>>Who offers new board-member, and who will vote? It is easy. Anyone who is active enough to send his offer or vote via email should be considered "an active user", and his vote should be counted.
>
>This sounds realistic and much better than my first idea. Can you please write a paragraph for this voting process including a first proposal for a legislative period? We have also no hen and egg problem for the first board. If the foundation documents must be approved by a voting and not by the board then there is no problem at all.
>
>Michael

[OpenCA-Devel] [Fwd: [openca-cvsdev] CVS: www.openca.org - Imported sources]

[Michael Bell <michael.bell@cm...>]

Hi,

does somebody know what this means? Looks like an import but what was 
imported?

Michael
-- 
_______________________________________________________________

Michael Bell                    Humboldt-Universitaet zu Berlin

Tel.: +49 (0)30-2093 2482       ZE Computer- und Medienservice
Fax:  +49 (0)30-2093 2704       Unter den Linden 6
michael.bell@...   D-10099 Berlin
_______________________________________________________________

[OpenCA-Devel] OpenCA Installer Script

[Oliver Welter <mail@ol...>]

Hi

anyone of you ever worked on an installer script for OpenCA ?
So I mean some handy cli or curses tool that wlaks through the 
config-xml and eases the initial setup ?

Oliver
-- 
Diese Nachricht wurde digital unterschrieben
oliwel's public key: http://www.oliwel.de/oliwel.crt
Basiszertifikat: http://www.ldv.ei.tum.de/page72

Re: [OpenCA-Devel] License / was Foundation documents

[Michael Bell <michael.bell@cm...>]

Edward Middleton wrote:
> Mike Jackson wrote:
> 
> 
>>Michael Bell wrote:
>>
>>
>>>Hi Oli,
>>>
>>>
>>>>GPL means, every modification you make to the code must go back to
>>>>the project.
>>>
>>>
>>>
>>>This is my idea of GPL too.
>>
>>
>>The GPL certainly allows people to make modifications to code without
>>contributing it back to the project.
> 
> 
> for a relevant quote from GPL FAQ
> 
> http://www.gnu.org/licenses/gpl-faq.html#DevelopChangesUnderNDA
> 
> the important point being. "The GPL would give the client the right to
> redistribute your version."

I'm not a specialist for licenses, so does this be the background of 
what FSF understand as copyleft?

Second question, can we simply define that the writing and integration 
of OpenCA::Commands is intended use (like Linux does it with the system 
calls)?

Michael
-- 
_______________________________________________________________

Michael Bell                    Humboldt-Universitaet zu Berlin

Tel.: +49 (0)30-2093 2482       ZE Computer- und Medienservice
Fax:  +49 (0)30-2093 2704       Unter den Linden 6
michael.bell@...   D-10099 Berlin
_______________________________________________________________

[OpenCA-Devel] Your Vote: Agenda for the Workshop

[Oliver Welter <mail@ol...>]

Dear OpenCA Users,

for those who are new on the list: There will be an OpenCA User Workshop 
on 17/18 October in Munich/Germany - see 
 http://www.openca.info/news/ws2005.html for details.

I am currently composing the Agenda and I want your opinion.

Current plans for Tuesday:
9:00 to 12.00: Introduction in the OpenCA Concept, the new Core, 
Batch-System and SCEP/OCSP. This is done by the Developers and should 
give you a slight idea how the whole thing works.

13.30 to 16.30: Use-Cases and Sucess-Stories

Topics currently in planning are:
* Win Logon with Smartcards
* Identity Management with LDAP
* LDAP Authentication and LDAP bases Certification Requesting
* Chipcard's and their Role in PKI Systems
* High-Availabilty Setup for mutliple CA's
* Automated certification with Batch System
* OpenCA in UTF-8 Environments
* Secure VPN with Cisco Devices via SCEP

The question to you: Do you want to here all of these in a short manner 
or only some of them (so which) in a longer talk ?

Please make your vote and tell us, so the workshop becomes a satisfying 
event for all of you :)

Oliver
-- 
Diese Nachricht wurde digital unterschrieben
oliwel's public key: http://www.oliwel.de/oliwel.crt
Basiszertifikat: http://www.ldv.ei.tum.de/page72

Re: [OpenCA-Devel] License / was Foundation documents

[Edward Middleton <edward@ni...>]

Mike Jackson wrote:

> Michael Bell wrote:
>
>> Hi Oli,
>>
>>>
>>> GPL means, every modification you make to the code must go back to
>>> the project.
>>
>>
>>
>> This is my idea of GPL too.
>
>
> The GPL certainly allows people to make modifications to code without
> contributing it back to the project.

for a relevant quote from GPL FAQ

http://www.gnu.org/licenses/gpl-faq.html#DevelopChangesUnderNDA

the important point being. "The GPL would give the client the right to
redistribute your version."

Edward

[OpenCA-Devel] Why Greek is so special?

[Sergei Vyshenski <svysh@cr...>]

Dear developers,

Does anybody know why Greek is the only
language left whose "openca.po" file is kept in
non-utf8 encoding in the stable branch-0_9_2?

I tried an experiment:
decoded Greek openca.po into utf-8, 
changed line 

"Content-Type: text/plain; charset=iso-8859-7\n" 

into utf-8, built a new openca.mo. Atfer this 
Greek interface 
behaves especially buggy making overall installation
rather unstable with respect to Language and Encoding
settings in config.xml and in browser preferences.

I even experienced abrupt and unrequested change 
of the browser-encoding from the Greek,iso-8859-7 into 
"Chinese" which was really amazing.

All the best, Sergei

Re: [OpenCA-Devel] License / was Foundation documents

[Mike Jackson <mj@sc...>]

Oliver Welter wrote:
> Hi Micha,
> 
> I would prefer GPL too, but should than keep in mind that we need a base 
> for commercial companies to make their business - I think this can be 
> special interfaces or batch-systems. But in this case they should be a 
> way for them to sell the extensions without the need to use our code...

If you look at the Fedora Directory Server license, you can find a good 
example of how to do this. It explicitly permits developing and 
distributing plugins as proprietary licensed code.


--
mike