a new free smime service, but...

Uwe Brauer oub at mat.ucm.es
Wed Oct 23 14:38:23 CEST 2019

> Hi
> On Sunday 20 October 2019 at 3:20:41 PM, in
> <mid:87a79vsdl2.fsf at mat.ucm.es>, Uwe Brauer via Gnupg-users wrote:-

> [...]

> I'm no expert but their Certificate Policy reads to me that the
> private key is compromised right from the start. I think usually the
> keys are generated on the subscriber's device and only the public key
> goes to the CA to be certified.
> https://www.actalis.it/documenti-it/caact-free-s-mime-certificates-policy.aspx

>     3.2.2 Proving possession of private key

>     The private cryptographic key corresponding to the public key
>     within the certificate is generated by the CA (with a suitable
>     algorithm, size, etc.) and subsequently sent to the subscriberin
>     PKCS#12 for-mat[PFX], via email, thereby insuring that the
>     subscriber does possess the private key.The password needed to
>     import the PKCS#12 file isprovided to the subscriber out-of-band
>     (via web), therefore protecting it from unwanted disclosure to
>     third parties. The CA does not retain such pass-word, so that the
>     legitimate subscriber –assuming that he/she keeps such password
>     confidential –remains the only person able to import the PKCS#12.

Oops this is really bad. I should have read this. Thanks for pointing it
out. I am wondering why they do such a bizarre thing? Maybe it is easier
to implement?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5025 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20191023/6f9789a9/attachment.bin>

More information about the Gnupg-users mailing list