From owner-freebsd-security  Mon Jul  7 09:57:35 1997
Return-Path: <owner-security>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id JAA23310
          for security-outgoing; Mon, 7 Jul 1997 09:57:35 -0700 (PDT)
Received: from cmu1.acs.cmu.edu (CMU1.ACS.CMU.EDU [128.2.35.186])
          by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id JAA23305
          for <freebsd-security@FreeBSD.ORG>; Mon, 7 Jul 1997 09:57:31 -0700 (PDT)
Received: from apriori.cc.cmu.edu (APRIORI.CC.CMU.EDU [128.2.72.117]) by cmu1.acs.cmu.edu (8.8.2/8.8.2) with SMTP id MAA14345; Mon, 7 Jul 1997 12:57:21 -0400
Date: Mon, 7 Jul 1997 12:57:20 -0400 (EDT)
From: Robert N Watson <rnw@andrew.cmu.edu>
X-Sender: rnw@apriori.cc.cmu.edu
To: Jim Binkley <jrb@cs.pdx.edu>
cc: freebsd-security@FreeBSD.ORG
Subject: Re: apology and question re certificate servers
In-Reply-To: <199707011702.KAA07768@sirius.cs.pdx.edu>
Message-ID: <Pine.SUN.3.93l.970707125110.13617B-100000@apriori.cc.cmu.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-security@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk


On Tue, 1 Jul 1997, Jim Binkley wrote:

> 
> I hate it when I try and send personal mail and send it to
> a mailing list...  Sigh.  Sorry ...  shoot too quick and the foot hurts.
> 
> but on the other hand,  a question for anyone on the mailing list.
> 
> Has anybody tried to setup any kind of certificate server
> on any kind of system?  With what results? 
> I'm not even sure what is available to play with at this point; 
> e.g., that might cost money or be free.
> 
> 	1. netscape server + certificate server I presume to do ssl
> 		3.0 stuff with netscape clients.
> 	2. dns sec stuff somewhere?
> 	3. ssleay?

A free reference DNSsec implementation is available from Trusted
Information Systems (TIS) at:

http://www.tis.com/docs/research/network/dns.html

It is based on BIND 4.9.5, although we currently have a BIND8 DNSsec
implementation in the workings.  Information on getting/configuring/etc
DNSsec is all on that page.  You'll need to get a copy of RSARef (free but
export-restricted.)  Instructions are all there.  Since DNSsec is still
under development (NXT records, dynamic DNS interaction, etc, are still
underway, as is a clarify document, I believe.)

With regards to other stuff -- haven't tried SSL/TLS in any of its forms,
server-side.  I noticed the other day that MIT now has their own
certificate service (was grabbing some IETF Security Directorate stuff,
and had to install a certificate in my browser before I could view the
pages.)  Seemed a little unusual -- I guess they are not interested in
Verisign's offerings?

Robert Watson
(rwatson@tis.com for Trusted Information Systems related mail)