Attempt to verify Thawte signature

Bernhard Reiter bernhard@intevation.de
Wed Aug 13 11:36:01 2003 

--zS7rBR6csb6tI2e1
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

[ Sending this to gpa-dev@ and gnupg-users@, because I think
  that it is not widely known enough that you can do minipayments
  to motivate g10 Code to treat your questions or features first. ;)

  E.g. search the GnuPG 1.2.1 annoucement for "g10 Code"
  where one possiblity is meant but lost in the huge annoucement:
  http://lists.gnupg.org/pipermail/gnupg-users/2002-October/015644.html
]

I'm really interested in my question below,
but I realise that g10 Code (Werner's company)=20
cannot always answer all support questions.
They just care for so many very important Free Software projects
and the priority for their volenteeringly done efforts=20
will be set by their plans, interests and visions.

Thus I've now put a=20
	50 Euro tag for g10code on the issue
to have them at least look at the problem and tell me their ideas.

If you are a user of g10code technology,=20
consider paying for its value or support.
Check their maintenance point system:
http://www.g10code.de/products.html

=46rom Germany it is easy to just transfer the money and get a bill by g10c=
ode.
This should have become easy in EU/Euro countries recently, too.

Best,
	Bernhard

On Fri, Jul 04, 2003 at 11:04:45PM +0200, Bernhard Reiter wrote:
> Saw an email by someone with a Thawte Freemail certificate
> and tried to make it possible to verify it.
> (e.g. like http://intevation.de/pipermail/kolab-devel/2003-July/000298.ht=
ml)
> Here are my notes, I was not successful yet. :)
>=20
>    Had to get the root CA cert into gpgsm.
>    Found it at
>       lynx https://www.thawte.com/html/SUPPORT/popups/rootsSUPPORT.html
>   =20
>    	   Thawte email certificate roots
>    	   http://www.thawte.com/html/SUPPORT/keygen/persfree.crt
>    	   http://www.thawte.com/html/SUPPORT/keygen/persbasi.crt
>   =20
>    Get some information about it:
>    	openssl x509 -inform dem -in persfree.crt  -text
>   =20
>    import it
>    	gpgsm --import persfree.crt
>=20
> Now gpgsm displays:
>   =20
> Serial number: 664572B7CC74F5CF63764584D02E9101
>        Issuer: /CN=3DThawte Personal Freemail CA/OU=3DCertification Servi=
ces Division/O=3DThawte Consulting/L=3DCape Town/ST=3DWestern Cape/C=3DZA/E=
Mail=3Dpersonal-freemail@thawte.com
>       Subject: /CN=3DPersonal Freemail RSA 2000.8.30/OU=3DCertificate Ser=
vices/O=3DThawte/L=3DCape Town/ST=3DWestern Cape/C=3DZA
>      validity: 2000-08-30 00:00:00 Z through 2004-08-27 23:59:59 Z
>     key usage: certSign crlSign
>  chain length: 0
>   fingerprint: 81:D1:93:09:0A:F0:A7:00:1F:61:B7:15:F9:8F:54:12:82:F3:1C:90
>=20
> Serial number: 00
>        Issuer: /CN=3DThawte Personal Freemail CA/OU=3DCertification Servi=
ces Division/O=3DThawte Consulting/L=3DCape Town/ST=3DWestern Cape/C=3DZA/E=
Mail=3Dpersonal-freemail@thawte.com
>       Subject: /CN=3DThawte Personal Freemail CA/OU=3DCertification Servi=
ces Division/O=3DThawte Consulting/L=3DCape Town/ST=3DWestern Cape/C=3DZA/E=
Mail=3Dpersonal-freemail@thawte.com
>      validity: 1996-01-01 00:00:00 Z through 2020-12-31 23:59:59 Z
>  chain length: unlimited
>   fingerprint: 20:99:00:B6:3D:95:57:28:14:0C:D1:36:22:D8:C6:87:A4:EB:00:85
>=20
>   =20
>    Now trying the crl, you can get it at
>    lynx https://www.thawte.com/cgi/lifecycle/roots.exe
>    https://www.thawte.com/cgi/lifecycle/ThawtePersonalFreemailRSA2000830.=
crl
>   =20
>    gpgsm --call-dirmngr LOADCRL /powerhome/bernhard/thawte/ThawtePersonal=
FreemailRSA2000830.crl
>=20
> Somehow it does not get the right CA certificate,
> strange.
>=20
> 2003-07-04 23:01:56 [6936] DBG: digest algo: 1.2.840.113549.1.1.4
> 2003-07-04 23:01:56 [6936] DBG: Inquiring CN=3DPersonal Freemail RSA 2000=
.8.30,OU=3DCertificate Services,O=3DThawte,L=3DCape Town,ST=3DWestern Cape,=
C=3DZA
> 2003-07-04 23:01:56 [6936] Error in assuan_inquire(), rc =3D 3
> 2003-07-04 23:01:56 [6936] DBG: No result from inquire
>=20
> 2003-07-04 23:01:56 [6936] error fetching certificate for issuer: rc=3D302
> 2003-07-04 23:01:56 [6936] DBG: Could not cert CRL issuer cert!!!
> 2003-07-04 23:01:56 [6936] DBG: crl_parse_insert CRL_SIG_ERROR
> 0x8056fe8 -> ERR 204 bad signature
> 0x8056fe8 <- [EOF]
>=20
> Any ideas?

--zS7rBR6csb6tI2e1
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQA/OOdah9ag3dpKERYRAlxpAJ9a6w53qAlZCrXHC67MG5PvMAxunwCg3QWZ
0/KwfKq3rEvoy9HutkABLGM=
=2wsS
-----END PGP SIGNATURE-----

--zS7rBR6csb6tI2e1--