I am sorry to read this, Kevin. It suggests that RedHat has
forgotten its open-source roots and what made it a billion
dollar company in the first place.
We are all familiar with the **** that companies put up with
when buying some commercial products. Open-source was meant
to be an answer to that problem - that quality could be vastly
improved in software when there were many eyes looking at the
source - not because some people just like the idea of seeing
the source-code of the products they use.
That RedHat was making money on services off of open-source
products was perfectly acceptable - there is real value in
services. But, when the open-source company starts
differentiating its open-source products from its commercial
products, it subverts the whole notion of open-source and what
it stands for.
If the fix did not exist and it was up to the open-source
community to prioritize the fix, that's one thing. But when
the fix *does* exist, and has been merged into the commercial
branch, but is not merged into the open-source branch - that
suggests deliberate manipulation of the trust and goodwill of
the open-source community.
Arshad Noor
StrongAuth, Inc.
Kevin Unthank wrote:
Hi Arshad,
Obviously, there are differences between RHCS8 and the latest release
of Dogtag. Generally, new feature development takes place in dogtag
and some of those features find there way back into RHCS8. Bug fixing
often occurs first in RHCS8 and those fixes are ported to dogtag.
PKI with only SHA-2 hashes is a fix that was made in the RHCS8
code tree and released in both source binary form in errata
RHBA-2009-1602. That fix will make it into dogtag builds but I can't
commit to a specific release or date when this will happen.
Until then it should be possible to work around the problem by using
pkisilent or the renewal method suggested by Andrew.
Cheers,
Kev
On 04/08/2010 10:55 AM, Arshad Noor wrote:
> Can someone from the DogTag Engineering team confirm that a PKI
> with only SHA-2 hashes *cannot* be built with the current version
> of the product?
>
> I find this hard to believe given that the RHCS documentation seems
> to indicate that it is possible to do so, and given that the
> underlying code already has SHA-2 support; nevertheless, can someone
> confirm Oliver's finding? Thanks.
>
> Arshad Noor
> StrongAuth, Inc.
>
> P.S. Since the RHCS 8.0 documentation does state that SHA-2 hashes
> can be configured at the time the self-signed cert is created, does
> that imply that the commercial RHCS is technologically different from
> the open-source DogTag? And, that it isn't just a question of RedHat
> support?
>
>
> Oliver Burtchen wrote:
>> Hi @ all,
>>
>> I also tried to change from "SHA1withRSA" to "SHA256withRSA"
by
>> editing the config files. No luck!
>>
>> I found, this is hard-coded in the sources, for example in:
>>
>> - pki-common-1.3.2/src/com/netscape/cms/servlet/csadmin/SizePanel.java
>> - pki-common-1.3.2//src/com/netscape/cmscore/security/CASigningCert.java
>>
>> Just look for "SHA1withRSA" in the files, I don't think this are
just
>> fallbacks.
>> Best regards,
>> Oli
>>
>>
>>
>> Am Mittwoch, 7. April 2010 03:27:04 schrieb Chandrasekar Kannan:
>>> On 04/06/2010 05:08 PM, Arshad Noor wrote:
>>>> The only option that is visible under Advanced is the key-size
>>>> for each of the certificate-types. The hash algorithm does not
>>>> show up at all.
>>>>
>>>> Even the default, as mentioned by Step 8, is not the default as
>>>> the last 10-12 installs have shown:
>>>>
>>>> * SHA256withRSA (the default)
>>>>
>>>> So, the question is: is the current build of DogTag in the pki
>>>> repository identical to RHCS 8.0 or is it a different version?
>>> It might very well be ... we can look at the svn commits
>>> to be really sure...
>>>
>>>> Arshad Noor
>>>> StrongAuth, Inc.
>>>>
>>>> Chandrasekar Kannan wrote:
>>>>> the installation wizard should provide 'options' under the
advanced
>>>>> section for you to be able to select the alg to use. Have you tried
>>>>> doing Step (8) from here ?
>>>>>
http://www.redhat.com/docs/manuals/cert-system/8.0/install/html/Configur
>>>>>
>>>>>
>>>>> ing_a_CA.html
>>> _______________________________________________
>>> Pki-users mailing list
>>> Pki-users(a)redhat.com
>>>
https://www.redhat.com/mailman/listinfo/pki-users
>>>
>>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users(a)redhat.com
>
https://www.redhat.com/mailman/listinfo/pki-users