Changes between Version 7 and Version 8 of faq/security/mfpl-certificate-authority


Ignore:
Timestamp:
Jan 24, 2013, 11:34:06 AM (7 years ago)
Author:
Daniel Kahn Gillmor
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • faq/security/mfpl-certificate-authority

    v7 v8  
     1[[PageOutline]]
     2
    13= Some of your web sites tell me that your security certificate was signed by an unknown entity. What can I do to get to know you? =
    24
     
    1315We are beginning to take a new track. Rather than paying money to corporation to prove that we are who we say we are, we are using our own Certificate Authority.  We use this certificate authority to certify the identity of some of our web sites, like the OpenPGP keyserver https://keys.mayfirst.org.
    1416
    15 The catch: You have to install our Certificate Authority in your web browser. You can do that by clicking on the link below that says mfpl.cert.
     17The catch: You have to install our Certificate Authority in your web browser and other tools. You can do that by fetching the link below that says `mfpl.cert` and following the appropriate instructions for your browser or other tool.
    1618
    17 == Firefox or Iceweasel ==
    1819
    19 If you are running Firefox, it will take you through the steps of accepting it automatically. Click the link that says mfpl.crt below, then scroll down and click "original format" where it says "Download in other formats." If Firefox prompts you to save the file, save it to your hard drive. Then click File -> Open and open the file. Follow the prompts to install it.
    20 
    21 == Internet Explorer ==
    22 
    23 If you are running Internet Explorer, download and save the file. Then:
    24 
    25  1. Click Tools -> Internet Options
    26  1. Click Content -> Certificates
    27  1. Click Trusted Root Certificates
    28  1. Click Import
    29 
    30 == Verifying the certificate ==
     20= Verifying the certificate =
    3121
    3222If you'd like to confirm that this certificate is the proper certificate (and you have the gpg key for Jamie), you can download our respective asc files and run:
     
    4434}}}
    4535
    46 == Certificate updates ==
    4736
    48  * 2008-05-24 We generated a new certificate due to the [wiki:openssl_vulnerability_2008-05 Debian openssl vulnerability]. Please remove our old certificate and replace it with the attached one. The old certificate has the serial number 00:DC:04:BC:5B:7E:E0:73:FA.
    49  * 2009-01-12 We have generated a new certificate due to [http://www.win.tue.nl/hashclash/rogue-ca/ weaknesses in the method we used to sign our previous certificate]. The old certificate has the serial number: 00:D2:CB:A4:EB:C6:65:92:DF.
    50  * 2010-11 [ticket:3606 discussion about yet another certificate authority overhaul] begins...
     37= installing the MF/PL CA in different software =
    5138
    52 == Deleting certificates ==
     39== Installing in Firefox or Iceweasel ==
    5340
    54 === In Firefox/Iceweasel ===
     41If you are running Firefox, it will take you through the steps of accepting it automatically. Click the link that says mfpl.crt below, then scroll down and click "original format" where it says "Download in other formats." If Firefox prompts you to save the file, save it to your hard drive. Then click File -> Open and open the file. Follow the prompts to install it.
     42
     43== Installing in Internet Explorer ==
     44
     45If you are running Internet Explorer, download and save the file. Then:
     46
     47 1. Click Tools -> Internet Options
     48 1. Click Content -> Certificates
     49 1. Click Trusted Root Certificates
     50 1. Click Import
     51
     52== installing in debian and debian/derived OSes ==
     53
     54If you run [http://debian.org/ the debian OS] (or some debian-derived OS like Mint or Ubuntu), and you want to grant this CA authority for many of the standard tools in debian, you can add it by putting the certificate as a file in `/usr/local/share/ca-certificates/` and then running `update-ca-certificates`.  you'll need to have superuser privileges to do both of these steps.
     55
     56== installing in GnuPG for keyserver connectivity ==
     57
     58You might be interested in using this certificate authority to verify connections to https://keys.mayfirst.org when fetching key updates.
     59
     60To do this, you'll want to save the certificate to some local file (in this example, it's in `/path/to/mfpl.crt` -- you'll need to adjust to match where you stored the file), and you need to make sure that [DebianPackage:gnupg-curl] is installed.
     61
     62Add the following lines to `~/.gnupg/gpg.conf`:
     63{{{
     64keyserver hkps://keys.mayfirst.org
     65keyserver-options ca-cert-file=/path/to/mfpl.crt
     66}}}
     67
     68
     69= Deleting certificates =
     70
     71== In Firefox/Iceweasel ==
    5572
    5673 * Click Edit -> Preferences
     
    6481 * Then, select the certificate and click delete
    6582
     83== In debian or derived OSes ==
     84
     85As the superuser:
     86
     87 * remove the file from `/usr/local/share/ca-certificates/`
     88 * run `update-ca-certificates`
     89
     90
     91= History =
     92
     93== Certificate updates ==
     94
     95 * 2008-05-24 We generated a new certificate due to the [wiki:openssl_vulnerability_2008-05 Debian openssl vulnerability]. Please remove our old certificate and replace it with the attached one. The old certificate has the serial number 00:DC:04:BC:5B:7E:E0:73:FA.
     96 * 2009-01-12 We have generated a new certificate due to [http://www.win.tue.nl/hashclash/rogue-ca/ weaknesses in the method we used to sign our previous certificate]. The old certificate has the serial number: 00:D2:CB:A4:EB:C6:65:92:DF.
     97 * 2010-11 [ticket:3606 discussion about yet another certificate authority overhaul] begins...