Attempt to verify Thawte signature

Bernhard Reiter bernhard@intevation.de
Fri Jul 4 23:03:06 2003 

--ikeVEW9yuYc//A+q
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Saw an email by someone with a Thawte Freemail certificate
and tried to make it possible to verify it.
(e.g. like http://intevation.de/pipermail/kolab-devel/2003-July/000298.html)
Here are my notes, I was not successful yet. :)

   Had to get the root CA cert into gpgsm.
   Found it at
      lynx https://www.thawte.com/html/SUPPORT/popups/rootsSUPPORT.html
  =20
   	   Thawte email certificate roots
   	   http://www.thawte.com/html/SUPPORT/keygen/persfree.crt
   	   http://www.thawte.com/html/SUPPORT/keygen/persbasi.crt
  =20
   Get some information about it:
   	openssl x509 -inform dem -in persfree.crt  -text
  =20
   import it
   	gpgsm --import persfree.crt

Now gpgsm displays:
  =20
Serial number: 664572B7CC74F5CF63764584D02E9101
       Issuer: /CN=3DThawte Personal Freemail CA/OU=3DCertification Service=
s Division/O=3DThawte Consulting/L=3DCape Town/ST=3DWestern Cape/C=3DZA/EMa=
il=3Dpersonal-freemail@thawte.com
      Subject: /CN=3DPersonal Freemail RSA 2000.8.30/OU=3DCertificate Servi=
ces/O=3DThawte/L=3DCape Town/ST=3DWestern Cape/C=3DZA
     validity: 2000-08-30 00:00:00 Z through 2004-08-27 23:59:59 Z
    key usage: certSign crlSign
 chain length: 0
  fingerprint: 81:D1:93:09:0A:F0:A7:00:1F:61:B7:15:F9:8F:54:12:82:F3:1C:90

Serial number: 00
       Issuer: /CN=3DThawte Personal Freemail CA/OU=3DCertification Service=
s Division/O=3DThawte Consulting/L=3DCape Town/ST=3DWestern Cape/C=3DZA/EMa=
il=3Dpersonal-freemail@thawte.com
      Subject: /CN=3DThawte Personal Freemail CA/OU=3DCertification Service=
s Division/O=3DThawte Consulting/L=3DCape Town/ST=3DWestern Cape/C=3DZA/EMa=
il=3Dpersonal-freemail@thawte.com
     validity: 1996-01-01 00:00:00 Z through 2020-12-31 23:59:59 Z
 chain length: unlimited
  fingerprint: 20:99:00:B6:3D:95:57:28:14:0C:D1:36:22:D8:C6:87:A4:EB:00:85

  =20
   Now trying the crl, you can get it at
   lynx https://www.thawte.com/cgi/lifecycle/roots.exe
   https://www.thawte.com/cgi/lifecycle/ThawtePersonalFreemailRSA2000830.crl
  =20
   gpgsm --call-dirmngr LOADCRL /powerhome/bernhard/thawte/ThawtePersonalFr=
eemailRSA2000830.crl

Somehow it does not get the right CA certificate,
strange.

2003-07-04 23:01:56 [6936] DBG: digest algo: 1.2.840.113549.1.1.4
2003-07-04 23:01:56 [6936] DBG: Inquiring CN=3DPersonal Freemail RSA 2000.8=
.30,OU=3DCertificate Services,O=3DThawte,L=3DCape Town,ST=3DWestern Cape,C=
=3DZA
2003-07-04 23:01:56 [6936] Error in assuan_inquire(), rc =3D 3
2003-07-04 23:01:56 [6936] DBG: No result from inquire

2003-07-04 23:01:56 [6936] error fetching certificate for issuer: rc=3D302
2003-07-04 23:01:56 [6936] DBG: Could not cert CRL issuer cert!!!
2003-07-04 23:01:56 [6936] DBG: crl_parse_insert CRL_SIG_ERROR
0x8056fe8 -> ERR 204 bad signature
0x8056fe8 <- [EOF]

Any ideas?

--ikeVEW9yuYc//A+q
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQA/Bevth9ag3dpKERYRAuJyAJ95dKoPEpBsN5sbabQcTrGcV+wWggCfUr/I
lc65b5jjiFYrvxyWfGZrI7Y=
=w7vE
-----END PGP SIGNATURE-----

--ikeVEW9yuYc//A+q--