a new free smime service, but...

MFPA 2017-r3sgs86x8e-lists-groups at riseup.net
Tue Oct 22 01:41:10 CEST 2019


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi


On Sunday 20 October 2019 at 3:20:41 PM, in
<mid:87a79vsdl2.fsf at mat.ucm.es>, Uwe Brauer via Gnupg-users wrote:-


> I just found that
> https://extrassl.actalis.it/portal/uapub/doProcess

> Provides a free smime certificate.

[...]

> does somebody know whether there is a security
> breach, the way this
> certificate was generated?

I'm no expert but their Certificate Policy reads to me that the
private key is compromised right from the start. I think usually the
keys are generated on the subscriber's device and only the public key
goes to the CA to be certified.
https://www.actalis.it/documenti-it/caact-free-s-mime-certificates-policy.aspx

    3.2.2 Proving possession of private key

    The private cryptographic key corresponding to the public key
    within the certificate is generated by the CA (with a suitable
    algorithm, size, etc.) and subsequently sent to the subscriberin
    PKCS#12 for-mat[PFX], via email, thereby insuring that the
    subscriber does possess the private key.The password needed to
    import the PKCS#12 file isprovided to the subscriber out-of-band
    (via web), therefore protecting it from unwanted disclosure to
    third parties. The CA does not retain such pass-word, so that the
    legitimate subscriber –assuming that he/she keeps such password
    confidential –remains the only person able to import the PKCS#12.

And

    4.1Certificate Application, Processing and Issuance
    To apply for a certificate pursuant to this CP, after accepting the
    quote, the requestor shall fill in and submit aweb-basedrequest
    formto be found on the CA web site.Before the requestor can
    actually submit the certificate request form to the CA, he/she
    must read and accept this Certificate Policy and the Terms &
    Conditions; both documents are made available for download in the
    same web form. The requestor’s acceptance is expressed by “point &
    click”, as allowed by Italian and European legislation on distance
    contracts. Furthermore, before the certificate request is
    accepted, the CA shall perform I&A according to §3.2.Upon
    submission of the certificate request form, the CA shall issue the
    certificateand send this latter to the Subscriber via email.The
    certificate is sent to the Subscriber requestor together with the
    corresponding private key, both bundled into a PKCS#12 file[PFX].
    The password needed to decipher the PKCS#12 file is shown to the
    requestor in the browser, at the end of the certificate request
    procedure. It is up to the Subscriber to keep that password
    confidential and protect it from unwanted loss

- --
Best regards

MFPA                  <mailto:2017-r3sgs86x8e-lists-groups at riseup.net>

The cure for anything is salt water - sweat, tears, or the sea.
-----BEGIN PGP SIGNATURE-----

iNUEARYKAH0WIQSWDIYo1ZL/jN6LsL/g4t7h1sju+gUCXa5CFl8UgAAAAAAuAChp
c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0OTYw
Qzg2MjhENTkyRkY4Q0RFOEJCMEJGRTBFMkRFRTFENkM4RUVGQQAKCRDg4t7h1sju
+v+iAQCE1htzI++iZGPw3aWSdvYOtStbg/+RCOq/55iUo4AkXwD+Mpeawj+TjNNK
Kj7Bp9ciiGgtlsxqPeVtls8tMSNFDgaJApMEAQEKAH0WIQRSX6konxd5jbM7JygT
DfUWES/A/wUCXa5CFl8UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0NTI1RkE5Mjg5RjE3Nzk4REIzM0IyNzI4MTMw
REY1MTYxMTJGQzBGRgAKCRATDfUWES/A/+xoD/9rTd1kVPIlVjk9Worhv07MxsJ1
jLfWWifiLApgVG08JhOdjOSY8T3W4Ew/HbuvfS4/Xc1keGja7ZgEw7cSQf6LZxSz
GWH55I3y6zzh5B0JYqu+DWnsRjU3oxQhwWW2rwJFXEiEDBraerA28/8XO3CXBctm
0jjOAAA0VEfwJEJda7W32PqcSqfL+iRcoZc1vC3o6YjOdvpK/tHDNPL4KzAqt+rV
N4IraP1N/3oGKGT303G1U6eAR6Pvmsd7YSb0yLFKUVIsYzYW7GuhTiX65QvHC3ov
ss1vVDjTPxV8a7+0B1QuNlFRBpdrDAdG9t2ecblG5FcIeDrEaigabdN9QQG7RWtr
KPKv2E47bMUGgC3wqgeCO7qiCf6gSIdrI3aEi7Jvfpdu0vq4myf8ysuRL1yywaWJ
OD/taEJ50SNTwT38qWq2KWDEWo4jupPqqHfcWNLFG8ARa0mVu84GwkM7bB1bDsaF
DQKKukXsywq2EhE4CHgjWq/0jUbr6oDjxu7PIwxTdo7f/NWdOxqk9GPDMkIIsut/
fej/L6Rm0NgJfXmvWJAQ9ghCwGE3A+MoOoCWS30Czqz5+P3GpKpLyv54QEc1LrRz
CF8VNvEhMyRPlmlnns6QLvZmoYspXkygRho8xAYIqWQ/fS/ZufkS6FS82TY58fvf
rBJ7qMIUewF91bEIEQ==
=uB21
-----END PGP SIGNATURE-----




More information about the Gnupg-users mailing list