a new free smime service, but...
2017-r3sgs86x8e-lists-groups at riseup.net
Tue Oct 22 01:40:56 CEST 2019
-----BEGIN PGP SIGNED MESSAGE-----
On Sunday 20 October 2019 at 3:20:41 PM, in
<mid:87a79vsdl2.fsf at mat.ucm.es>, Uwe Brauer via Gnupg-users wrote:-
> I just found that
> Provides a free smime certificate.
> does somebody know whether there is a security
> breach, the way this
> certificate was generated?
I'm no expert but their Certificate Policy reads to me that the
private key is compromised right from the start. I think usually the
keys are generated on the subscriber's device and only the public key
goes to the CA to be certified.
3.2.2 Proving possession of private key
The private cryptographic key corresponding to the public key
within the certificate is generated by the CA (with a suitable
algorithm, size, etc.) and subsequently sent to the subscriberin
PKCS#12 for-mat[PFX], via email, thereby insuring that the
subscriber does possess the private key.The password needed to
import the PKCS#12 file isprovided to the subscriber out-of-band
(via web), therefore protecting it from unwanted disclosure to
third parties. The CA does not retain such pass-word, so that the
legitimate subscriber –assuming that he/she keeps such password
confidential –remains the only person able to import the PKCS#12.
4.1Certificate Application, Processing and Issuance
To apply for a certificate pursuant to this CP, after accepting the
quote, the requestor shall fill in and submit aweb-basedrequest
formto be found on the CA web site.Before the requestor can
actually submit the certificate request form to the CA, he/she
must read and accept this Certificate Policy and the Terms &
Conditions; both documents are made available for download in the
same web form. The requestor’s acceptance is expressed by “point &
click”, as allowed by Italian and European legislation on distance
contracts. Furthermore, before the certificate request is
accepted, the CA shall perform I&A according to §3.2.Upon
submission of the certificate request form, the CA shall issue the
certificateand send this latter to the Subscriber via email.The
certificate is sent to the Subscriber requestor together with the
corresponding private key, both bundled into a PKCS#12 file[PFX].
The password needed to decipher the PKCS#12 file is shown to the
requestor in the browser, at the end of the certificate request
procedure. It is up to the Subscriber to keep that password
confidential and protect it from unwanted loss
MFPA <mailto:2017-r3sgs86x8e-lists-groups at riseup.net>
The cure for anything is salt water - sweat, tears, or the sea.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
More information about the Gnupg-users