NAI pulls out the DMCA stick

Eric Murray ericm at
Fri May 24 17:03:56 PDT 2002

On Fri, May 24, 2002 at 12:07:48PM -0700, Curt Smith wrote:
> While we are on the subject of issuing your own X.509
> certificates:
> 1.  How do you create a X.509 signing hierarchy?

Do a web search on "openssl certificate authority".

> 2.  Can you add additional algorithms (ie. Twofish)?

Yes, if the libraries you use support them.
Note that twofish, being a symetric algorithm, would
not be used in certificates.  Public key and hashes only.

> 3.  Is a relavent developer reference is available for X.509?

X.509 is an ITU/T standard, which means, among other things, that
they charge money for copies.  You can find copies on the net though.
Being ITU/T also means that the standard is written in a format and
style that is designed to be incomprehensible as possible.  This keeps
the professional meeting-goers who write these things from having to
search for honest work.  The documents get progressively less
understandable over time, so its best to start with the 1988 version.
PKCS#6 explains X.509 as well and is easier to understand.

Peter Gutman's X.509 Style Guide is quite comprehsnsible and
also pretty funny after you have spent time trying to decipher
X.509 or any other X.whatever standard.
Peter also has a neat utility called dumpasn.1 which you will
want if you start diddling X.509 certs.

Openssl is probably the most common library for doing cert
stuff these days.  Unfortunately the docs for Openssl are pretty
much non-existent and the ASN.1 code is particularly difficult
to understand.


More information about the cypherpunks-legacy mailing list