a new free smime service, but...

Steffen Nurpmeso steffen at sdaoden.eu
Thu Oct 24 00:49:19 CEST 2019


sorry for the late reply.

Ralph Seichter wrote in <87pninuqns.fsf at wedjat.horus-it.com>:
 |* Steffen Nurpmeso:
 |> I think it is common that S/MIME and SSL certificates are delivered
 |> via PKCS12, including the private key. You then seem to extract the
 |> individual things [...]
 |Nope, that is the wrong way round. The correct sequence to obtain an
 |S/MIME certificate is as follows:
 |1. User X creates a private key *locally*. This private key must never
 |be handed to anybody else.
 |2. User X creates a certificate signing request (CSR) and sends it to a
 |certificate authority (CA).
 |3. The CA uses the CSR to create a signed certificate, and sends that
 |certificate back to user X.

Ok, but that is exactly what i have written a few lines later for
the CACert example that i posted, right.  So not nope, Mr.
Where "user X" meant "browser of user X" when i did so for
a StartSSL certificate.  I assume it did the right thing.  But
i do not know.

 |4. User X can then optionally combine private key and signed certificate
 |in a .p12 file to ease importing the data *locally* in his MUA (it is
 |usually more convenient to deal with a single file that combines both
 |private key and certificate).
 |If the process is altered in any way in which a third party gets hold of
 |user X's private key, security is broken, no matter if the private key
 |is password protected or not.

That is surely right.

|Der Kragenbaer,                The moon bear,
|der holt sich munter           he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)

More information about the Gnupg-users mailing list