a new free smime service, but...

Steffen Nurpmeso steffen at sdaoden.eu
Thu Oct 24 00:51:40 CEST 2019


Steffen Nurpmeso wrote in <20191023224323.KAODd%steffen at sdaoden.eu>:
 ||> I think it is common that S/MIME and SSL certificates are
 ||> delivered via PKCS12, including the private key.  You then seem to
 ||> extract the individual things like
 ||I think this is a severe security breach. The private key should never
 ||leave your computer.


 ||>   $ openssl pkcs12 -in cert.p12 -out certpem.pem -clcerts -nodes
 ||>   $ # Alternatively
 ||>   $ openssl pkcs12 -in cert.p12 -out cert.pem -clcerts -nokeys
 ||>   $ openssl pkcs12 -in cert.p12 -out key.pem -nocerts -nodes
 ||>|keys are generated on the subscriber's device and only the public key
 ||>|goes to the CA to be certified.
 |With StartSSL it was like that, the browser generated the signing
 |request i hope.  But i do not know.
 |And, the above i inherited in the manual of the software
 |i maintain.  I have not seen this in the wild on my own.

This is actually only half true.  The original manual only
contains the first of the three.

|Der Kragenbaer,                The moon bear,
|der holt sich munter           he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)

More information about the Gnupg-users mailing list