a new free smime service, but...
Uwe Brauer
oub at mat.ucm.es
Wed Oct 23 14:38:23 CEST 2019
> Hi
> On Sunday 20 October 2019 at 3:20:41 PM, in
> <mid:87a79vsdl2.fsf at mat.ucm.es>, Uwe Brauer via Gnupg-users wrote:-
> [...]
> I'm no expert but their Certificate Policy reads to me that the
> private key is compromised right from the start. I think usually the
> keys are generated on the subscriber's device and only the public key
> goes to the CA to be certified.
> https://www.actalis.it/documenti-it/caact-free-s-mime-certificates-policy.aspx
> 3.2.2 Proving possession of private key
> The private cryptographic key corresponding to the public key
> within the certificate is generated by the CA (with a suitable
> algorithm, size, etc.) and subsequently sent to the subscriberin
> PKCS#12 for-mat[PFX], via email, thereby insuring that the
> subscriber does possess the private key.The password needed to
> import the PKCS#12 file isprovided to the subscriber out-of-band
> (via web), therefore protecting it from unwanted disclosure to
> third parties. The CA does not retain such pass-word, so that the
> legitimate subscriber –assuming that he/she keeps such password
> confidential –remains the only person able to import the PKCS#12.
Oops this is really bad. I should have read this. Thanks for pointing it
out. I am wondering why they do such a bizarre thing? Maybe it is easier
to implement?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5025 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20191023/6f9789a9/attachment.bin>
More information about the Gnupg-users
mailing list