a new free smime service, but...

Uwe Brauer oub at mat.ucm.es
Wed Oct 23 14:49:16 CEST 2019 

   > MFPA via Gnupg-users wrote in <1171562612.20191022004056 at my_localhost_AR>:
   >  |On Sunday 20 October 2019 at 3:20:41 PM, in
   >  |<mid:87a79vsdl2.fsf at mat.ucm.es>, Uwe Brauer via Gnupg-users wrote:-
   >  |
   >  |> I just found that
   >  |> https://extrassl.actalis.it/portal/uapub/doProcess
   >  |
   >  |> Provides a free smime certificate.
   >  ...
   >  |> does somebody know whether there is a security
   >  |> breach, the way this
   >  |> certificate was generated?
   >  |
   >  |I'm no expert but their Certificate Policy reads to me that the
   >  |private key is compromised right from the start. I think usually the

   > I think it is common that S/MIME and SSL certificates are
   > delivered via PKCS12, including the private key.  You then seem to
   > extract the individual things like


I think this is a severe security breach. The private key should never
leave your computer.

   >   $ openssl pkcs12 -in cert.p12 -out certpem.pem -clcerts -nodes
   >   $ # Alternatively
   >   $ openssl pkcs12 -in cert.p12 -out cert.pem -clcerts -nokeys
   >   $ openssl pkcs12 -in cert.p12 -out key.pem -nocerts -nodes

   >  |keys are generated on the subscriber's device and only the public key
   >  |goes to the CA to be certified.

   > This is possible via CACert.org, at least still (out of money).
   > You create your local signing request, and the private key.pem never
   > leaves your own box:

   >   $ openssl req -nodes -newkey rsa:4096 -keyout key.pem -out creq.pem

   > (Ensure all email addresses of desire are included in the web
   > form.)
   > Unfortunate that besides Comodo there seems no other provider of
   > free S/MIME certificates.  You can only self-sign, and provide

Comodo does not offer this any more. At the beginning of the year they
reduced the smime cerificates validity from 1 year to 1 month, now they
withdraw it all together.


   > a safe transport for a certificate to compare with.  Which is why
   > PGP is so nice.

Well yes sort of, but I can tell you from my own experience PGP is more for
hackers while smime is not. I have convinced 6 of my friends to use
smime, but only one to pgp.

Self signed smime certificates are basically useless, because then you
have to tell the other user either to install a root certificate or to
trust the certificate, in which case smime looses its convenience
(compared to pgp)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5025 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20191023/b9325f87/attachment-0001.bin>

More information about the Gnupg-users mailing list