[Djigzo users] Windows xp does not accept the root certificate

Christine christine at christine.nl
Thu Jul 16 15:09:44 CEST 2009


Andreas Schubert wrote:
> what is the disadvantage i we use certs with sha1?
>   
"sha256 is more secure, while sha1 is more widely used", as wikipedia 
tells us:
http://en.wikipedia.org/wiki/SHA_hash_functions#SHA-2_family

SHA1 uses a 160 bits digest which is easier to break than a 256bits 
digest. But of course, if windows xp doesn't support sha256, you 
shouldn't use sha256 if you think you'll communicate with people who are 
still on windows xp.

As long as you don't specifically want to protect your email against 
government agencies or against criminals with tens of millions of 
dollars available to break just your email, any of these algorithms 
should be secure enough.
However, you create your CA for the next half decade or so, so you want 
to be certain that your hashes are still secure five years from now. As 
always, there's a tradeoff between security on the one hand, and ease of 
use on the other.

At any rate, I'm glad you found the problem :-)

dagdag
Christine

> thank you for your help.
>
> regards
>
> Andreas Schubert
> Transline Deutschland Dr.-Ing. Sturz GmbH
>
>
> "Martijn Brinkers" <m.brinkers at pobox.com> wrote on 15.07.2009 21:58:29:
>
>   
>> That's really strange. I have tested it with different windows xp
>> installations. Also others have been able to import the pfx without
>> problems. So the main question now is what's different in your setup?
>> I have seen problems installing certs in the past when access to the
>> registry was refused for some actions (the certs are imported into the
>> registry). Perhaps a virus scanner does not allow you to install a
>> root? What happens when you install only the root (as a cer file) into
>> the root store? Is it also installed into the intermediate store?
>>     
>
>   
>> Kind regards
>>     
>
>   
>> Martijn
>> --- sent from Blackberry
>>     
>
> _______________________________________________
> Users mailing list
> Users at lists.djigzo.com
> http://lists.djigzo.com/lists/listinfo/users
>
>   


-- 
dagdag is just a two-character rotation of byebye.




More information about the Users mailing list