Attempt to verify Thawte signature
Bernhard Reiter
bernhard@intevation.de
Wed Aug 13 11:36:01 2003
--zS7rBR6csb6tI2e1
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
[ Sending this to gpa-dev@ and gnupg-users@, because I think
that it is not widely known enough that you can do minipayments
to motivate g10 Code to treat your questions or features first. ;)
E.g. search the GnuPG 1.2.1 annoucement for "g10 Code"
where one possiblity is meant but lost in the huge annoucement:
http://lists.gnupg.org/pipermail/gnupg-users/2002-October/015644.html
]
I'm really interested in my question below,
but I realise that g10 Code (Werner's company)=20
cannot always answer all support questions.
They just care for so many very important Free Software projects
and the priority for their volenteeringly done efforts=20
will be set by their plans, interests and visions.
Thus I've now put a=20
50 Euro tag for g10code on the issue
to have them at least look at the problem and tell me their ideas.
If you are a user of g10code technology,=20
consider paying for its value or support.
Check their maintenance point system:
http://www.g10code.de/products.html
=46rom Germany it is easy to just transfer the money and get a bill by g10c=
ode.
This should have become easy in EU/Euro countries recently, too.
Best,
Bernhard
On Fri, Jul 04, 2003 at 11:04:45PM +0200, Bernhard Reiter wrote:
> Saw an email by someone with a Thawte Freemail certificate
> and tried to make it possible to verify it.
> (e.g. like http://intevation.de/pipermail/kolab-devel/2003-July/000298.ht=
ml)
> Here are my notes, I was not successful yet. :)
>=20
> Had to get the root CA cert into gpgsm.
> Found it at
> lynx https://www.thawte.com/html/SUPPORT/popups/rootsSUPPORT.html
> =20
> Thawte email certificate roots
> http://www.thawte.com/html/SUPPORT/keygen/persfree.crt
> http://www.thawte.com/html/SUPPORT/keygen/persbasi.crt
> =20
> Get some information about it:
> openssl x509 -inform dem -in persfree.crt -text
> =20
> import it
> gpgsm --import persfree.crt
>=20
> Now gpgsm displays:
> =20
> Serial number: 664572B7CC74F5CF63764584D02E9101
> Issuer: /CN=3DThawte Personal Freemail CA/OU=3DCertification Servi=
ces Division/O=3DThawte Consulting/L=3DCape Town/ST=3DWestern Cape/C=3DZA/E=
Mail=3Dpersonal-freemail@thawte.com
> Subject: /CN=3DPersonal Freemail RSA 2000.8.30/OU=3DCertificate Ser=
vices/O=3DThawte/L=3DCape Town/ST=3DWestern Cape/C=3DZA
> validity: 2000-08-30 00:00:00 Z through 2004-08-27 23:59:59 Z
> key usage: certSign crlSign
> chain length: 0
> fingerprint: 81:D1:93:09:0A:F0:A7:00:1F:61:B7:15:F9:8F:54:12:82:F3:1C:90
>=20
> Serial number: 00
> Issuer: /CN=3DThawte Personal Freemail CA/OU=3DCertification Servi=
ces Division/O=3DThawte Consulting/L=3DCape Town/ST=3DWestern Cape/C=3DZA/E=
Mail=3Dpersonal-freemail@thawte.com
> Subject: /CN=3DThawte Personal Freemail CA/OU=3DCertification Servi=
ces Division/O=3DThawte Consulting/L=3DCape Town/ST=3DWestern Cape/C=3DZA/E=
Mail=3Dpersonal-freemail@thawte.com
> validity: 1996-01-01 00:00:00 Z through 2020-12-31 23:59:59 Z
> chain length: unlimited
> fingerprint: 20:99:00:B6:3D:95:57:28:14:0C:D1:36:22:D8:C6:87:A4:EB:00:85
>=20
> =20
> Now trying the crl, you can get it at
> lynx https://www.thawte.com/cgi/lifecycle/roots.exe
> https://www.thawte.com/cgi/lifecycle/ThawtePersonalFreemailRSA2000830.=
crl
> =20
> gpgsm --call-dirmngr LOADCRL /powerhome/bernhard/thawte/ThawtePersonal=
FreemailRSA2000830.crl
>=20
> Somehow it does not get the right CA certificate,
> strange.
>=20
> 2003-07-04 23:01:56 [6936] DBG: digest algo: 1.2.840.113549.1.1.4
> 2003-07-04 23:01:56 [6936] DBG: Inquiring CN=3DPersonal Freemail RSA 2000=
.8.30,OU=3DCertificate Services,O=3DThawte,L=3DCape Town,ST=3DWestern Cape,=
C=3DZA
> 2003-07-04 23:01:56 [6936] Error in assuan_inquire(), rc =3D 3
> 2003-07-04 23:01:56 [6936] DBG: No result from inquire
>=20
> 2003-07-04 23:01:56 [6936] error fetching certificate for issuer: rc=3D302
> 2003-07-04 23:01:56 [6936] DBG: Could not cert CRL issuer cert!!!
> 2003-07-04 23:01:56 [6936] DBG: crl_parse_insert CRL_SIG_ERROR
> 0x8056fe8 -> ERR 204 bad signature
> 0x8056fe8 <- [EOF]
>=20
> Any ideas?
--zS7rBR6csb6tI2e1
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQA/OOdah9ag3dpKERYRAlxpAJ9a6w53qAlZCrXHC67MG5PvMAxunwCg3QWZ
0/KwfKq3rEvoy9HutkABLGM=
=2wsS
-----END PGP SIGNATURE-----
--zS7rBR6csb6tI2e1--