Correct CRL and OSCP URIs along certificate chain

Merely because of private interest and usage in my own network, I’m creating a certificate chain (Root CA → Intermediate CA → Server cert) using openssl. I’d like the certificate chain to be traceable and also being able to revoke certificates.

At the moment, I am not sure, which CRL distribution Points (crlDistributionPoints in openssl config speech) and OSCP URIs (authorityInfoAccess = OCSP;URI: ... and authorityInfoAccess = OCSP;caIssuers: ...) are the correct ones to set when creating a certificate. Examining the certificates of some public websites, it seems to me, that the following is the way to go. So, would you please check whether I’m right?

Root CA certificate:

  • CRL: Root CA CRL or none at all
  • OCSP URI: OCSP URI of Root CA or none at all
  • CA Issuer: URI of Root CA certificate or none at all

Intermediate CA certificate:

  • CRL: Root CA CRL
  • OCSP URI: OCSP URI of Root CA
  • CA Issuer: URI of Root CA

Server certificate:

  • CRL: Intermediate CA CRL
  • OCSP URI: OCSP URI of Intermediate CA*)
  • CA Issuer: URI of Intermediate CA

*) It seems, one OCSP responder could handle OSCP requests for the Root and the intermediate CA. If so, I could also use the Root CA’s OSCP URI, right?

So, every certificates data have to point “one level up”, to the location, where its own validity can be checked. Is that correct?

And btw, is there any OCSP responder you can recommend? I tried openssl’s own one and the one from openca, but both had disadvantages for me.

Thank you in advance!

How did (in particular) Americans just go along with the concept of having to own and show “photo id” everywhere? [closed]

I remember hearing or seeing a documentary or something a “long” time ago, likely in the early 2000s, about how a lot of Americans (USAians) refused to show an “id” even when voting, where it might possibly be justified to demand some form of identification in order to prevent duplicate votes (if you believe in the concept of democracy in the first place, which is not on-topic for this question).

I also know for a fact that they never had to show IDs to board cruise ships and stuff, for the longest time.

Nowadays, you have to scan and send a photo id to many sites or services online, you can’t as much as collect a package at the post office (pre-paid, with the notification number with you) where I live (Europe), and you’d never be allowed to board any kind of ship or airplane or anything like that without them “verifying” exactly who you are. This seems to very much go for Americans as well.

They even have “facial recognition” and hi-tech x-rays showing you fully naked to the personnel and whoever gets access to their computer systems (massive leaks happen every day).

I wonder: how did this happen without anyone putting up any kind of fight? I could really, really use a vacation for the first time in my life, and it would be interesting to go on one of those huge cruise ships, but given that they not only charge through the nose for it, but demand that I show them photo id to board it (not just my ticket), it’s an impossibility to me.

I literally don’t own a photo id, and getting one would involve having to go to some government building and all kinds of scary (to me) stuff. It’s way more than not wanting to be tracked, which in itself should be enough as a reason for not playing along with this. I feel fundamentally violated having to “prove who I am”. I just have zero interest in doing so. I’m violently disinterested in being tracked by anyone, for any reason, anywhere.

So how did Americans, who traditionally have been extremely “freedom-loving”, just go along with this? I’m furious and steaming from just thinking about this, and I live in the “merry old oppressive Europe”… I can only imagine how many Americans must feel completely “trapped” wherever they live because everything requires you to have these photo ids.

K-nearest along ray in large point cloud

Are there any well-known data structures known that can handle the following (need to scope whether something is possible):

  1. Return the k-closest points to a ray shot through the cloud.

  2. Allows quick updates of point locations (basically every point is moved every 500000 queries or so at which point around 500000 old points are removed and the same number added).

In this case the number of points in the cloud will be approximately 3.5 million. The application is in 3D graphics.

How to present boolean options along with selecting exactly 1 of them as “primary”?

I have a situation in a web browser where I have a number (let’s say 3-10) of alternatives to present to the user.

  • The end user must choose at least one of these options to be enabled
  • The end user must choose exactly one of the enabled options to be the “primary” option.

I’m not sure how best to do this, though. Here’s a contrived situation about a stew that might help illustrate this better:

enter image description here

There are 7 potential ingredients, the user has to enable or disable each of them (cries out for a checkbox) but at least one of them has to be enabled; and exactly one of them must be the primary ingredient (cries out for a radio button).

  • If I choose a dumb form with no constraint checking, this is easy to implement, but they could choose Beef, Pork, and Carrots as the enabled ingredients and then Potatoes as the primary ingredient (which is a problem since they did not check the Potatoes box among the enabled ingredients)

  • Or I could put the primary ingredient first, then allow them to select secondary ingredients, and force the primary ingredient to be selected in the list of secondary ingredients (beef in the example below) and not allow it to be unselected. Not too hard to implement in HTML / Javascript, but then there’s some trickiness… what if I start with the UI state below, then select the primary ingredient as Onions, then as Chicken, and then Pork? What happens to the checkboxes for Onions, Chicken, and Beef?

enter image description here

Both of these options require duplicating the list twice.

  • Or I could try to use some kind of multichoice slider to select the primary ingredient… which would eliminate the need to duplicate the list… but this isn’t a built-in HTML feature and I’d have to roll my own or try to apply some 3rd-party UI element.

  • Or I could place a radiobutton and a checkbox in front of each ingredient (radiobutton for primary ingredient, checkbox to enable non-primary ingredients) which is compact and simple in presentation, but most likely confusing in semantics.

Any suggestions?

How to use GPG to pass along encrypted content and double encrypt

Say I have a document. I want to encrypt it, then give it to my friend, and I don’t want them to be able to decrypt it. I want them to encrypt it again using their GPG system. Then to decrypt it my friend has to first decrypt it, send it to me, and I decrypt it.

How do I do that roughly with the GPG CLI? I am confused because there are 3 interrelated elements.

gpg --encrypt --sign --armor -r person@email.com -r foo@bar.com name_of_file 
  • encrypt
  • sign
  • recipients

I amnot sure how they all relate or what they do exactly. Do I just encrypt it without signing and without recipients, pass it to my friend and they encrypt it without signing or adding recipients?

Using OAuth2 with JWT, should a client pass along unused refresh tokens on a logout call?

I have a system with an OAuth2 authorization server. It hands out JWT access tokens and refresh tokens (the latter only to the mobile app client).

We don’t persist access tokens (as is normal with JWT) but we do persist the (hashed) refresh tokens together with some meta data to be able to revoke them so that users can log out other devices. We also only allow a single use for refresh tokens, the new request also gives back a new refresh token.

The OAuth2 login server itself uses regular basic auth with sessions. The user wants to be able to logout (single devices/clients) here. So of course I have to invalidate the session itself. But ideally I want to remove the refresh token that this client still has as well. The problem is that I don’t know that refresh token. A particular user could in theory have request multiple of them with their code request. The refresh token is also not normally passed in requests (only the access token)

Should I ask the clients (which are currently all under our own development) to send along their unused refresh tokens? Even if they ‘forget’ their refresh tokens locally, it still seems better if I also delete them on the server so they don’t linger around until their expiry time. Note I do know all the refresh tokens currently in use for a certain account but I don’t want to just delete them all because that would mean all devices are logged out. We also save some user agent-like info with the refresh tokens so users can use that to manually logout other devices, but it seems like a bad idea to try to perform string matching on those to automate that process.

Unable to install Ubuntu along with Windows 10, HP Omen Laptop

So I have crawled around the web for 2 days now, only to notice that I’m not the only one with this problem and 2 not a single person really knows how to fix this. This is not a single good guide or video out there to solve this problem so here we go…

Computer Specs: https://support.hp.com/us-en/document/c05609719

I upgraded to 16g of ram and installed a Samsung 970 pro SSD

secure boot = disabled

TPM = Available / disabled

SGX = disabled

Legacy boot = disabled

I have installed ubuntu on a live usb, i have verified the install and checked for bad blocks on the USB (3.0)

So when i insert the usb, the standard Grub loader comes up. I scrolled down to install ubuntu, and press E.

then i go to the end of the following line:

linux /casper/vmlinuz.efi file=/cdrom/preseed/ubuntu.seed boot=casper only-ubiquity quiet splash —

I have tried the follow additional commands:

nouveau.modeset=0

acpi=off

modprobe.blacklist=nouveau

nomodeset

None of this at any given time have worked. Currently after I press F10 I am getting an error saying:

failed to claim resource 1. platform device creation failed: -16

My understanding is that it has something to do with NVIDIA drivers, please help.

PS. Ubuntu why haven’t you fixed this yet. It’s been a plague since 16.04.