a new free smime service, but...
Steffen Nurpmeso
steffen at sdaoden.eu
Thu Oct 24 00:49:19 CEST 2019
Hello,
sorry for the late reply.
Ralph Seichter wrote in <87pninuqns.fsf at wedjat.horus-it.com>:
|* Steffen Nurpmeso:
|> I think it is common that S/MIME and SSL certificates are delivered
|> via PKCS12, including the private key. You then seem to extract the
|> individual things [...]
|
|Nope, that is the wrong way round. The correct sequence to obtain an
|S/MIME certificate is as follows:
|
|1. User X creates a private key *locally*. This private key must never
|be handed to anybody else.
|
|2. User X creates a certificate signing request (CSR) and sends it to a
|certificate authority (CA).
|
|3. The CA uses the CSR to create a signed certificate, and sends that
|certificate back to user X.
Ok, but that is exactly what i have written a few lines later for
the CACert example that i posted, right. So not nope, Mr.
Where "user X" meant "browser of user X" when i did so for
a StartSSL certificate. I assume it did the right thing. But
i do not know.
|4. User X can then optionally combine private key and signed certificate
|in a .p12 file to ease importing the data *locally* in his MUA (it is
|usually more convenient to deal with a single file that combines both
|private key and certificate).
|
|If the process is altered in any way in which a third party gets hold of
|user X's private key, security is broken, no matter if the private key
|is password protected or not.
That is surely right.
--steffen
|
|Der Kragenbaer, The moon bear,
|der holt sich munter he cheerfully and one by one
|einen nach dem anderen runter wa.ks himself off
|(By Robert Gernhardt)
More information about the Gnupg-users
mailing list